{"result": {"cve": [{"id": "CVE-2012-0158", "type": "cve", "title": "CVE-2012-0158", "description": "The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers \"system state\" corruption, as exploited in the wild in April 2012, aka \"MSCOMCTL.OCX RCE Vulnerability.\"", "published": "2012-04-10T17:55:01", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158", "cvelist": ["CVE-2012-0158"], "lastseen": "2017-09-19T13:38:08"}], "saint": [{"id": "SAINT:D79A7CB8B12034409DA174D1F0EC34F3", "type": "saint", "title": "Microsoft Windows Common Controls MSCOMCTL.OCX Vulnerability", "description": "Added: 04/12/2012 \nCVE: [CVE-2012-0158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) \nBID: [52911](<http://www.securityfocus.com/bid/52911>) \nOSVDB: [81125](<http://www.osvdb.org/81125>) \n\n\n### Background\n\nMicrosoft Windows bundles various common ActiveX controls in the Common Controls library `**MSCOMCTL.OCX**`. Several Windows applications use these controls. \n\n### Problem\n\nVarious ActiveX controls in `**MSCOMCTL.OCX**` in the Common Controls in Microsoft Office 2007 and Office 2010 allow remote attackers to execute arbitrary code via a crafted `**.rtf**` file that triggers system state corruption. \n\n### Resolution\n\nApply the update referenced in [MS12-027](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-027> \n<http://www.net-security.org/secworld.php?id=12732> \n\n\n### Limitations\n\nThis exploit has been tested on Microsoft Word 2007 SP3 and Microsoft Word 2010 SP1 running on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows \n \n\n", "published": "2012-04-12T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_common_controls_mscomctlocx", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-12-14T16:58:05"}, {"id": "SAINT:691FBFDFE24704CB1E9FB73F0186260A", "type": "saint", "title": "Microsoft Windows Common Controls MSCOMCTL.OCX Vulnerability", "description": "Added: 04/12/2012 \nCVE: [CVE-2012-0158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) \nBID: [52911](<http://www.securityfocus.com/bid/52911>) \nOSVDB: [81125](<http://www.osvdb.org/81125>) \n\n\n### Background\n\nMicrosoft Windows bundles various common ActiveX controls in the Common Controls library `**MSCOMCTL.OCX**`. Several Windows applications use these controls. \n\n### Problem\n\nVarious ActiveX controls in `**MSCOMCTL.OCX**` in the Common Controls in Microsoft Office 2007 and Office 2010 allow remote attackers to execute arbitrary code via a crafted `**.rtf**` file that triggers system state corruption. \n\n### Resolution\n\nApply the update referenced in [MS12-027](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-027> \n<http://www.net-security.org/secworld.php?id=12732> \n\n\n### Limitations\n\nThis exploit has been tested on Microsoft Word 2007 SP3 and Microsoft Word 2010 SP1 running on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows \n \n\n", "published": "2012-04-12T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_common_controls_mscomctlocx", "cvelist": ["CVE-2012-0158"], "lastseen": "2017-01-10T14:03:42"}, {"id": "SAINT:FA42FF32EDF77D4600EA8685EBDE9D45", "type": "saint", "title": "Microsoft Windows Common Controls MSCOMCTL.OCX Vulnerability", "description": "Added: 04/12/2012 \nCVE: [CVE-2012-0158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) \nBID: [52911](<http://www.securityfocus.com/bid/52911>) \nOSVDB: [81125](<http://www.osvdb.org/81125>) \n\n\n### Background\n\nMicrosoft Windows bundles various common ActiveX controls in the Common Controls library `**MSCOMCTL.OCX**`. Several Windows applications use these controls. \n\n### Problem\n\nVarious ActiveX controls in `**MSCOMCTL.OCX**` in the Common Controls in Microsoft Office 2007 and Office 2010 allow remote attackers to execute arbitrary code via a crafted `**.rtf**` file that triggers system state corruption. \n\n### Resolution\n\nApply the update referenced in [MS12-027](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-027> \n<http://www.net-security.org/secworld.php?id=12732> \n\n\n### Limitations\n\nThis exploit has been tested on Microsoft Word 2007 SP3 and Microsoft Word 2010 SP1 running on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows \n \n\n", "published": "2012-04-12T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/windows_common_controls_mscomctlocx", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-10-03T15:01:58"}], "thn": [{"id": "THN:9CDDDE9DF3B3C8342BC878FBBF670968", "type": "thn", "title": "Beware! Cyber Criminals may spoil your Valentine's Day", "description": "[![](http://2.bp.blogspot.com/-UbDg_2GB7PM/UvnrUMicegI/AAAAAAAAaEM/KiTNTDtBQro/s728/Valentine-day-malware-hacking.jpg)](<http://2.bp.blogspot.com/-UbDg_2GB7PM/UvnrUMicegI/AAAAAAAAaEM/KiTNTDtBQro/s1600/Valentine-day-malware-hacking.jpg>)\n\n_Valentine's Day__ _\\- a day of hearts, Chocolates, Flowers and Celebrations when people express their emotions to their loved ones and most of us send E-cards, purchase special gifts with the help of various Online Shop Sites and many other tantrums making them feel special.\n\n \n\n\nWhile you are busy in Googling ideal gifts for your loved ones, the Cyber thieves are also busy in taking advantage of such events by spreading various [malware](<http://thehackernews.com/search/label/Malware>), phishing campaigns and fraud schemes as these days come out to be a goldmine for the cyber criminals.\n\n \n\n\n_Online Shopping Scams_ are popular among Cyber criminals as it is the easiest way for hackers to steal money in easy and untraceable ways.\n\n \n\n\nSecurity Researchers at Anti virus firm - _Trend Micro_ [discovered](<http://blog.trendmicro.com/trendlabs-security-intelligence/breaking-up-with-valentines-day-online-threats/>) various Valentine's Day threats which are common at such occasion i.e. A flower-delivery service and it appears to be a normal promotional e-mail, but the links actually lead to various survey scams.\n\n \n\n\nThe Malware threats also arrive during this season of love. The researchers recently found a new attack targeting Canadian users looking for a Romantic Dinner Giveaway. The email appears to be about a special Valentine Dinner, and has an attachment which is actually a malicious _.RTF_ file (_detected as TROJ_ARTIEF. VDY_), using a known buffer overflow vulnerability (_[CVE-2012-0158](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>)_) in Windows Common Controls, allows remote code execution to drop a backdoor (BKDR_INJECT.VDY) onto the affected system.\n\n[![](http://2.bp.blogspot.com/-9TVw2Nf0xD0/UvnqlXFjJGI/AAAAAAAAaEE/uNtMfYZkQ6w/s728/Valentine-day-malware-hacking.png)](<http://2.bp.blogspot.com/-9TVw2Nf0xD0/UvnqlXFjJGI/AAAAAAAAaEE/uNtMfYZkQ6w/s1600/Valentine-day-malware-hacking.png>)\n\nThis Valentine's Day, with the popularity of Android phones and iPhones, it seems practical to impress your beloved by sending e-cards using various Valentine's Day Apps, but you never realize that despite sending E-cards, you are also inflicting an [Android](<http://thehackernews.com/search/label/Android>) malware on your beloveds which could be worse to your relation.\n\n \n\n\nThe security researchers from _Bitdefender_ recently released a report, noted how such Valentine's Day apps could demand undue permissions, that could violate users\u2019 privacy, rack up users\u2019 phone bills, and even possibly cause identity theft.\n\n \n\n\nThe researchers have detected various malware-inflicted apps, one of which is \u2018**Valentine\u2019s Day 2014 Wallpaper**.\u2019 The app records user\u2019s location and his browsing history in the process without having any justification for asking permissions.\n\n \n\n\nAnother is \u2018**Valentine's Day Frames**\u2019, the app that reads the user\u2019s contacts list, which is logically an odd request because the app is only intended to adorn user\u2019s romantic photographs with Valentine's Day themed photo frames. _So what\u2019s the use of reading your contact list for this app?_\n\n \n\n\nOne more, \u2018**Love Letters for Chat, Status**\u2019 which allows you to share love quotes, letters, and even poems to your dearest friends, but the app is capable to send emails, make phone calls, change audio settings, and even modify calendar events without your permission. So gifting this to your beloved may cause an end to you sweet relation.\n\n \n\n\nSeasonal deals and offers are common place, so its users own duty to spot what\u2019s malicious and what\u2019s not. Following are some tips every Internet user must follow:\n\n * Do not to open emails and click links in wild from unknown sources.\n * Do not run attached files that come from unknown sources, especially these days.\n * The biggest bargains aren\u2019t always the biggest stealing. If an offer sounds too good to be true, it probably is, but if you are making purchases online, then prefer a reputed shopping site and type the address of the store in the browser, rather than going through any links that have been sent to you.\n * Has an effective security solution installed in your system that is capable of detecting both known and new malware strains.\n\nDon\u2019t spread malware... Spread love :) Stay safe! Stay tuned to The Hacker News.\n", "published": "2014-02-10T22:26:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://thehackernews.com/2014/02/beware-cyber-criminals-may-spoil-your.html", "cvelist": ["CVE-2012-0158"], "lastseen": "2017-01-08T18:01:08"}, {"id": "THN:1CB1B7D76F76F9EF7FEE786E9D5B4DEC", "type": "thn", "title": "POWELIKS \u2014 A Persistent Windows Malware Without Any Installer File", "description": "[![POWELIKS \u2014 A Persistent Windows Malware Without Any Installer](http://3.bp.blogspot.com/-8CkpwB8JPN8/U999kcWKl_I/AAAAAAAAcqQ/EdVV47WNr10/s728/Poweliks-persistent-malware-windows-registry.jpg)](<http://3.bp.blogspot.com/-8CkpwB8JPN8/U999kcWKl_I/AAAAAAAAcqQ/EdVV47WNr10/s1600/Poweliks-persistent-malware-windows-registry.jpg>)\n\nMalware is nothing but a malicious files which is stored on an infected computer system in order to damage the system or steal sensitive data from it or perform other malicious activities. But security researchers have uncovered a new and sophisticated piece of malware that infects systems and steals data without installing any file onto the targeted system.\n\n \n\n\nResearchers dubbed this [persistent malware](<http://thehackernews.com/search/label/Advanced%20Persistent%20Threat>) as **Poweliks**, which resides in the computer registry only and is therefore not easily detectable as other typical malware that installs files on the affected system which can be scanned by antivirus or anti-malware Software.\n\n \n\n\nAccording to [Paul Rascagneres](<https://twitter.com/r00tbsd>), Senior Threat Researcher, Malware analyst at GData software, due to the malware\u2019s subsequent and step-after-step execution of code, the feature set was similar to a stacking principles of Matryoshka Doll approach.\n\n \n\n\nPaul has made a number of name ripping malware and bots to uncover and undermine cyber crimes. He won last years' Pwnie Award at _Black Hat Las Vegas_ for tearing through the infrastructure of Chinese hacker group APT1.\n\n \n\n\nIn order to infect a system, the [malware](<http://thehackernews.com/search/label/Malware>) spreads via emails through a malicious Microsoft Word document and after that it creates an encoded autostart registry key and to remain undetectable it keeps the registry key hidden, Rascagneres says.\n\n \n\n\nThe malware then creates and executes shellcode, along with a payload Windows binary that tried to connect to \u2018_hard coded IP addresses_\u2019 in an effort to receive further commands from the attacker.\n\n> \"_All activities are stored in the registry. No file is ever created,\"_ Rascagneres said in a [blog post](<https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html>). _\"So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot._\u201d\n\n> _\"To prevent attacks like this, antivirus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox.\"_\n\nTo create an autostart mechanism, the malware creates a registry, which is a non-ASCII character key, as Windows Regedit cannot read or open the non-ASCII key entry.\n\n \n\n\n**CAPABILITIES OF POWELIKS MALWARE**\n\nPoweliks malware is quite dangerous and can perform a number of malicious activities. The malware can: \n\n * Download any payload\n * Install spyware on the infected computer to harvest users\u2019 personal information or business documents\n * Install banking Trojans in order to steal money\n * Install any other type of malicious software that can fulfil the needs of the attackers\n * used in botnet structures\n * generate immense revenue through ad-fraud\n\n_The non-ASCII trick is a tool which the Microsoft created and uses in order to hide its source code from being copied or tampered with, but this feature was later cracked by a security researcher. _\n\n[![POWELIKS \u2014 A Persistent Windows Malware Without Any Installer](http://1.bp.blogspot.com/-wwHjFi73t9w/U998OfeEGVI/AAAAAAAAcqI/-WWnTsYObIA/s728/poweliks_regedit_.png)](<http://1.bp.blogspot.com/-wwHjFi73t9w/U998OfeEGVI/AAAAAAAAcqI/-WWnTsYObIA/s1600/poweliks_regedit_.png>)\n\nThe security and malware researchers on the _KernelMode.info_ forum last month analysed a sample which is dropped by a Microsoft Word document that exploited the vulnerability described in CVE-2012-0158, which affected Microsoft products including Microsoft Office. \n\n \n\n\nThe malware authors distributed the malware as an attachment of fake Canada Post and/or USPS email allegedly holding tracking information.\n\n> \"_This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful,_\" Rascagneres said.\n", "published": "2014-08-04T01:37:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://thehackernews.com/2014/08/poweliks-persistent-windows-malware.html", "cvelist": ["CVE-2012-0158"], "lastseen": "2017-01-08T18:00:58"}, {"id": "THN:D9114576EA7861D9D8859B9EF23814E4", "type": "thn", "title": "Surveillance malware targets 350 high profile victims in 40 countries", "description": "[![](http://2.bp.blogspot.com/-M8cMLC5NtdI/Ua4XqeyaL9I/AAAAAAAAV9g/soz4j7rFh4E/s640/Surveillance+malware+targets+350+high+profile+victims+in+40+countries.png)](<http://2.bp.blogspot.com/-M8cMLC5NtdI/Ua4XqeyaL9I/AAAAAAAAV9g/soz4j7rFh4E/s1600/Surveillance+malware+targets+350+high+profile+victims+in+40+countries.png>)\n\nA global cyber espionage campaign affecting over 350 high profile victims in 40 countries, appears to be the work of [Chinese hackers](<http://thehackernews.com/2013/02/chinese-government-targets-uyghur-group.html>) using a Surveillance malware called \"**_NetTraveler_**\".\n\n \n\n\nKaspersky Lab\u2019s team of experts published a new research [report](<http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf>) about NetTraveler, which is a family of malicious programs used by APT cyber crooks. The main targets of the campaign, which has been running since 2004, are Tibetan/Uyghur activists, government institutions, contractors and embassies, as well as the oil and gas industry.\n\n[Spear phishing](<http://thehackernews.com/2011/01/spear-phishing-latest-ploy-to-steal.html>) emails were used to trick targets into opening [malicious documents](<http://thehackernews.com/2012/01/print-of-one-malicious-document-can.html>). The attackers are using two vulnerabilities in Microsoft Office including Exploit.MSWord.CVE-2010-333, Exploit.Win32.CVE-2012-0158, which have been patched but remain highly-popular on the hacking scene, and have run NetTraveler alongside other malware. \n \nC&amp;C servers are used to install additional malware on infected machines and exfiltrate stolen data and more than 22 gigabytes amount of stolen data stored on NetTraveler\u2019s C&amp;C servers.\n\n \n\n\nAccording to researchers, the largest number of samples we observed were created between 2010 and 2013. The largest number of infections has been spotted in Mongolia, India and Russia, also in China, South Korea, Germany, the US, Canada, the UK, Austria, Japan, Iran, Pakistan, Spain and Australia.\n\n \n\n\nResearchers believe that hackers team behind this attack are 50 individuals, most of whom speak Chinese natively but also have a decent level of English.\n\n \n\n\nSix victims were also hit by the [Red October](<http://thehackernews.com/2013/01/operation-red-october-cyber-espionage.html>) attackers, whom Kaspersky had profiled last year. Those victims included a military contractor in Russia and an embassy in Iran.\n", "published": "2013-06-04T05:39:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://thehackernews.com/2013/06/surveillance-malware-targets-350-high.html", "cvelist": ["CVE-2012-0158"], "lastseen": "2017-01-08T18:01:20"}, {"id": "THN:DC21EBE0272DEA3B043A3EB0A5B5B1DA", "type": "thn", "title": "Terminator RAT became more sophisticated in recent APT attacks", "description": "None\n", "published": "2013-10-27T05:37:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://thehackernews.com/2013/10/terminator-rat-became-more.html", "cvelist": ["CVE-2012-0158"], "lastseen": "2017-01-08T18:01:13"}, {"id": "THN:59AA6ADFEEB67D7E156CDF3579330697", "type": "thn", "title": "Chinese APT Espionage campaign, dubbed 'Icefog' targeted Military contractors and Governments", "description": "[![](http://3.bp.blogspot.com/-u4tWthaiHas/UkWq-HnhGBI/AAAAAAAAXy0/QcH2jC5FGbA/s1600/Chinese+APT+Espionage+campaign,+dubbed+'Icefog'+targeted+Military+contractors+and+Governments.png)](<http://3.bp.blogspot.com/-u4tWthaiHas/UkWq-HnhGBI/AAAAAAAAXy0/QcH2jC5FGbA/s1600/Chinese+APT+Espionage+campaign,+dubbed+'Icefog'+targeted+Military+contractors+and+Governments.png>)\n\n**Kaspersky Lab** has identified another [Chinese APT campaign](<http://thehackernews.com/search/label/APT1>), dubbed \u2018**Icefog**\u2019, who targeted Governmental institutions, Military contractors, maritime / shipbuilding groups, telecom operators, industrial and high technology companies and mass media.\n\n \n\n\nThe Hacking group behind the attack who carry out surgical [hit and run operations](<http://thehackernews.com/search/label/cyber%20espionage>), is an [advanced persistent threat](<http://thehackernews.com/search/label/Chinese%20Hackers>) (APT) group, used a backdoor dubbed Icefog that worked across Windows and [Mac OS X](<http://thehackernews.com/search/label/Mac%20OS>) to gain access to systems.\n\n\"_The Mac OS X backdoor currently remains largely undetected by security solutions and has managed to infect several hundred victims worldwide_,\" [the report](<http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf>) (PDF) said. \n \n\n\nThis China-based [campaign](<http://thehackernews.com/2013/02/mandiant-revealed-chinese-apt1-cyber.html>) is almost two years old and follows the pattern of similar APT-style attacks where victims are compromised via a malicious attachment in a [spear-phishing](<http://thehackernews.com/search/label/Spear%20Phishing>) email, or are lured to a compromised website and infected with [malware](<http://thehackernews.com/search/label/Malware>).\n\nThe attackers embed exploits for several known [vulnerabilities](<http://thehackernews.com/search/label/Vulnerability>) (CVE-2012-1856 and CVE-2012-0158) into Microsoft Word and Excel documents.\n\n \n\n\nOnce a computer has been compromised, the hackers upload [malicious tools](<http://thehackernews.com/search/label/hacking%20tool>) and backdoors. They look for email account credentials, sensitive documents and passwords to other systems.\n\n[![](http://2.bp.blogspot.com/-XiMXWdrJEd0/UkWrQ-NuzjI/AAAAAAAAXy8/Otpp4n6YeSY/s640/Spear+phishing+mail.png)](<http://2.bp.blogspot.com/-XiMXWdrJEd0/UkWrQ-NuzjI/AAAAAAAAXy8/Otpp4n6YeSY/s1600/Spear+phishing+mail.png>)\n\n \n\n\n\"_We observed many victims in several other countries, including Taiwan, Hong Kong, China, USA, Australia, Canada, UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia_,\" the research team said.\n\n \n\n\nThere is no concrete evidence to confirm this was a nation-state sponsored operation, but based on where the stolen data were transferred to, Kaspersky wrote the attackers are assumed to be in China, South Korea and Japan.\n\n[![](http://4.bp.blogspot.com/-ZFm4K6kLoyI/UkWsMlnzypI/AAAAAAAAXzI/bJ9suAFvclM/s1600/statistics.png)](<http://4.bp.blogspot.com/-ZFm4K6kLoyI/UkWsMlnzypI/AAAAAAAAXzI/bJ9suAFvclM/s1600/statistics.png>)\n\nIn total, Kaspersky Lab observed more than 4,000 uniquely infected IPs and several hundred victims. They are now in contact with the targeted organizations as well as government entities in order to help them identify and eradicate the infections.\n", "published": "2013-09-27T05:05:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://thehackernews.com/2013/09/chinese-apt-espionage-campaign-dubbed.html", "cvelist": ["CVE-2012-1856", "CVE-2012-0158"], "lastseen": "2017-01-08T18:01:15"}, {"id": "THN:B02C7C78600ED331232ABD4D1F8D2C4A", "type": "thn", "title": "Operation Red October : Cyber Espionage campaign against many Governments", "description": "A new sensational discovered has been announced by Kaspersky Lab\u2019s Global Research &amp; Analysis Team result of an investigation after several attacks hit computer networks of various international diplomatic service agencies.\n\n[![](http://3.bp.blogspot.com/-oLHA29NAIM8/UPUy7lMIn9I/AAAAAAAAAI4/5CzgGdxDSeU/s1600/Red+October+Operation.png)](<http://3.bp.blogspot.com/-oLHA29NAIM8/UPUy7lMIn9I/AAAAAAAAAI4/5CzgGdxDSeU/s1600/Red+October+Operation.png>)\n\nA new large scale [cyber-espionage](<http://securityaffairs.co/wordpress/11405/intelligence/cyberespionage-another-watering-hole-attack-against-us-website.html>) operation has been discovered, named **Red October**, name inspired by famous novel **The Hunt For The Red October (ROCRA)** and chosen because the investigation started last October.\n\n \n\n\nThe campaign hit hundreds of machines belonging to following categories:\n\n * Government\n * Diplomatic / embassies\n * Research institutions\n * Trade and commerce\n * Nuclear / energy research\n * Oil and gas companies\n * Aerospace\n * Military\n\nThe attackers have targeted various devices such as enterprise network equipment and mobile devices (Windows Mobile, iPhone, Nokia), hijacking files from removable disk drives, stealing e-mail databases from local Outlook storage or remote POP/IMAP server and siphoning files from local network FTP servers.\n\n \n \n\n\nAccording security experts involved in the investigation the cyber-espionage campaign was started since 2007 and is still active, during this long period the attackers obtained a huge quantity of information such as service credentials that hav been reused in later attacks.\n\n \n\n\nThe control structure discovered is very complex and extended, more than 60 domain names and several server hosting located in many countries mainly Germany and Russia. A particularity of the C&amp;C architecture is that the network is arranged to hide the mothership-server true proxy functionality of every node in the malicious structure.\n\n \n\n\nSecurity experts were able to sinkhole six of the 60 domains used during the period 2 Nov 2012 - 10 Jan 2013, registering over 55,000 connections to the sinkhole from 250 different victim\u2019s IPs from 39 different countries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.\n\n[![](http://3.bp.blogspot.com/-2eJDE126xVU/UPUzWdD6aII/AAAAAAAAAJA/bK4zpvEs7WA/s1600/Red+October+Operation.png)](<http://3.bp.blogspot.com/-2eJDE126xVU/UPUzWdD6aII/AAAAAAAAAJA/bK4zpvEs7WA/s1600/Red+October+Operation.png>)\n\n**Red October Geo-distribution of victims**\n\nWhich are the vulnerabilities exploited for the attacks?\n\nThe security expert discovered that at least three different known vulnerabilities have been exploited\n\n * CVE-2009-3129 (MS Excel) [attacks dated 2010 and 21011]\n * CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]\n * CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]\n\nEvidences collected during the investigation let security specialists to believe that attackers have Russian origins, but strangely they appear unrelated to any other cyber attacks detected until now. The exploits appear to have been created by Chinese hackers.\n\n \n\n\n**Attack Method**\n\nThese attacks is structured in two distinct phases according a classic schema of targeted attacks:\n\n 1. Initial infection\n 2. Additional modules deployed for intelligence gathering\n\nIn the initial phase the malware is delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents), once victims opened the malicious document the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&amp;C servers, after the malware receives from the C&amp;C server a number of additional spy modules. \n \n\n\nThe way to infect entire network is very efficient, the hackers used a module to scan target infrastructure searching for vulnerable machines. The attacks against each machine and related services is made exploiting the above vulnerabilities or gaining access to it using credentials collected during other attacks of the same campaign. The exploits appear to have been created by Chinese hackers. \n \n\n\nWhat alarms me is that such campaigns could be going on for years with disastrous consequences ... _what to do at this point? How is it possible that an operation so extended escape for so long to world wide security community? Who is behind the attacks? Cyber criminals or state-sponsored hackers?_\n\n \n\n\n**UPDATE 2013/01/15**\n\nJeffrey Carr, founder and CEO of Taia Global, Inc, posted on [his blog](<http://jeffreycarr.blogspot.it/2013/01/rbn-connection-to-kasperskys-red.html>)\n\n \n\n\nThe developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a \u2018t\u2019. I ran 13 IPs listed in Kaspersky\u2019s report against the [RBN list](<http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt>) maintained by James McQuade and found matching IP blocks for five of them:\n\n \n\n\n**Malicious servers**\n\n * 178.63.208.49 matches to 178.63.\n * 188.40.19.247 matches to 188.40.\n * 78.46.173.15 matches to 78.46.\n * 88.198.30.44 matches to 88.198.\n\n**Mini-motherships**\n\n * 91.226.31.40 matches to 91.226.\n\nIt has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it\u2019s going to be one of the most important discoveries of the decade.\n", "published": "2013-01-14T23:49:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://thehackernews.com/2013/01/operation-red-october-cyber-espionage.html", "cvelist": ["CVE-2012-0158", "CVE-2010-3333", "CVE-2009-3129"], "lastseen": "2017-01-08T18:01:26"}], "threatpost": [{"id": "ATTACKS-SCADA-ICS-HONEYPOTS-MODIFIED-CRITICAL-OPERATIONS-031913/77642", "type": "threatpost", "title": "Attacks on SCADA, ICS Honeypots Modified Critical Operations", "description": "With antiquated gear running the country\u2019s industrial control systems that oversee critical infrastructure, it\u2019s no shock attackers targeting SCADA networks do their fair share of reconnaissance looking for weak spots in that equipment.\n\nA researcher decided to put that theory to a practical test recently when he deployed three dummy websites, honeypots essentially, that accurately mimicked Internet-facing management interfaces for a real-world water pressure station, a server hosting a human machine interface (HMI) system and another machine hosting a real programmable logic controller (PLC).\n\n### Related Posts\n\n#### [91 Percent of Public-Facing ICS Components Are Remotely Exploitable](<https://threatpost.com/91-percent-of-public-facing-ics-components-are-remotely-exploitable/119142/> \"Permalink to 91 Percent of Public-Facing ICS Components Are Remotely Exploitable\" )\n\nJuly 11, 2016 , 8:32 am\n\n#### [Moxa Won\u2019t Patch Publicly Disclosed Flaws Until August](<https://threatpost.com/moxa-wont-patch-publicly-disclosed-flaws-until-august/117311/> \"Permalink to Moxa Won\u2019t Patch Publicly Disclosed Flaws Until August\" )\n\nApril 11, 2016 , 12:22 pm\n\n#### [Dewan Chowdhury on Hacking Power Grids](<https://threatpost.com/dewan-chowdhury-on-hacking-power-grids/116386/> \"Permalink to Dewan Chowdhury on Hacking Power Grids\" )\n\nFebruary 22, 2016 , 1:29 pm\n\nWhat threat researcher Kyle Wilhoit of Trend Micro found during a 28-day trial was that attackers are determined to access SCADA networks and ICS devices and come armed not only with working knowledge of devices and their default configurations, but with purpose-built malware, and the desire to modify industrial processes if they\u2019re able to successfully access a system.\n\n\u201cI didn\u2019t expect the attack scenarios I saw happen,\u201d Wilhoit told Threatpost. \u201cI didn\u2019t expect attackers to look at the site admin stuff and deeper into the company behind the gear. I can now draw a parallel to the reconnaissance attackers do on companies and infrastructure; we see a lot of those parallels on devices now.\u201d\n\nDuring the trial, 39 attacks were carried out against the honeypots, originating in 14 countries, most of them coming from China, Laos and the United States. For the purposes of his [research](<http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf>), which was presented at Black Hat EU last week, Wilhoit did not consider automated port scans and SQL injection attempts as attacks. The only attempts considered attacks were those that were a threat to a secure area of the websites, attempts to modify a controller, attacks on specific SCADA protocols such as Modbus, and attempts to gain access to cause damage.\n\nThe sites were left exposed online with default configurations, including default credentials such as admin/admin or SA/SA. Text on the sites was optimized for search engines so that Google and others would easily find them, and the server names, for example, were fairly attractive names such as SCADA-1.\n\nThe result was a disturbing view into the activities around these critical systems. One incursion was able to gain access to a supposed water pumping station and shut it down or modify water output temperatures, in one case to 170 degrees Fahrenheit.\n\n\u201cThey logged in, made a modification and logged out,\u201d Wilhoit said. \u201cThese were repeat attacks based on default credentials for specific ICS and SCADA equipment. They were able to modify it directly and perform what was perceived to be catastrophic damage. They definitely thought they were successful.\u201d\n\nWilhoit said 12 of the attacks were unique and targeted the specific equipment in use; 13 were repeated by the same attackers, indicating some sort of automation and targeting. Some attackers would come back at the same times twice a day and try to exploit the same vulnerabilities over and over, or move on to new attacks once they were unable to exploit one.\n\nMost of the attacks logged by the honeypots were unauthorized access attempts to diagnostics pages, or attempts to modify Modbus traffic; Modbus is a communications protocol specific to ICS and SCADA equipment. One of the malware attacks originated with a spear phishing email carrying a malicious Word document exploiting [CVE-2012-0158](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>), a vulnerability that enables remote code execution used in many targeted attacks. Another attack attempted to use an unauthorized Modbus client to gain read/write access to the PLC honeypot, a sign reconnaissance is occurring, Wilhoit said.\n\nThe bigger question, however, is why. Why is this gear online with default credentials and configurations and how many attacks where pumping stations are shut down or water temperature is modified occur?\n\n\u201cThe primary reason this is occurring is that these systems were deployed 20 to 30 years ago, prior to security architecture being the way it is today,\u201d Wilhoit said. \u201cThe technology gap has gotten a lot larger, and ICS hasn\u2019t caught up to where security infrastructure is at right now. It\u2019s difficult for devices to be turned down; that will halt business in that sector for some time. If you reboot a server, coal is not coming out of the ground. That affects the bottom line.\n\n\u201cIt also begs the question: Are companies disclosing it, or are they even aware it\u2019s occurring,\u201d Wilhoit said. \u201cThere\u2019s quite a big separation from the security guy and the ICS engineer whose main responsibility is to ensure devices stay up and are operational. Would they even be aware? I don\u2019t know, but I\u2019d be comfortable in saying these types of attacks are occurring.\u201d", "published": "2013-03-19T19:04:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/attacks-scada-ics-honeypots-modified-critical-operations-031913/77642/", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-09-04T20:44:53"}, {"id": "MH-370-RELATED-PHISHING-ATTACKS-SPOTTED-AGAINST-GOVERNMENT-TARGETS/105024", "type": "threatpost", "title": "Malaysia Airlines Flight 370 spear phishing emails spotted", "description": "Hold off on the notion that [watering hole attacks](<http://threatpost.com/why-watering-hole-attacks-work-032013/77647>) may supplant [phishing as the initial means of compromise](<http://threatpost.com/spear-phishing-remains-preferred-point-entry-targeted-persistent-attacks-113012/77267>) in advanced attacks. A number of recent targeted campaigns have used the crash of Malaysia Airlines 370 as a lure to infect government officials in the U.S. and Asia-Pacific.\n\nFireEye today published research on a number of [spear phishing attacks](<http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html>) that contained either infected attachments or links to malicious websites. One Chinese group, [admin@338](<http://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022>), has been active in the past targeting international financial firms that have expertise in analyzing global economic policies. Two days after flight 370 was reported missing, a spear phishing email was sent to government officials in Asia-Pacific, FireEye said, with an attachment referring to the missing airliner.\n\n### Related Posts\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\n#### [Insecure Redis Instances at Core of Attacks Against Linux Servers](<https://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-linux-servers/120312/> \"Permalink to Insecure Redis Instances at Core of Attacks Against Linux Servers\" )\n\nSeptember 1, 2016 , 1:08 pm\n\n#### [Fairware Attacks Targeting Linux Servers](<https://threatpost.com/fairware-attacks-targeting-linux-servers/120254/> \"Permalink to Fairware Attacks Targeting Linux Servers\" )\n\nAugust 31, 2016 , 10:21 am\n\nUsers who clicked on the attachment saw a blank document, while in the background a variant of the Poison Ivy Trojan was installing and eventually established a backdoor to www[.]verizon[.]proxydns[.]com. This group has used both Poison Ivy and this domain in previous attacks, FireEye said.\n\nPoison Ivy has some miles on it, but security researchers say hacker groups, in particular some with ties to China, continue to make use of it. The malware is a remote access Trojan that allows attackers to not only set up backdoor communication with infected machines, but push additional malicious code, steal documents and system information, and pivot internally.\n\nFireEye said it monitored a second attack from the admin@338 group which targeted a \u201cU.S.-based think tank\u201d on March 14. The malicious attachment pretended to be a Flash video related to the missing plane and attached a Flash icon to the executable, researchers said.\n\nThis version of Poison Ivy connected to its command and control at dpmc[.]dynssl[.]com:443 and www[.]dpmc[.]dynssl[.]com:80, FireEye said, adding that the phony Verizon domain used in the first attack also resolved to an IP used by this attack as well.\n\nAdmin@338 is not the only hacker group using the Malaysia tragedy to its advantage. On March 9, a malicious executable disguised as a PDF connected to a command and control server at net[.]googlereader[.]pw:443. The victim is shown a phony PDF purporting to be a CNN story about the disappearance of the flight.\n\nThree more samples were detected that used a Word document, or an executable, disguised as a .DOC extension, dropping an exploit for CVE-2012-0158 used in the [IceFog](<http://threatpost.com/icefog-espionage-campaign-is-hit-and-run-targeted-operation/102417>), [NetTraveler](<http://threatpost.com/net-traveler-espionage-campaign-uncovered-links-to-gh0st-rat-titan-rain-found/100865>) and [Red October APT](<http://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/77397>) campaigns reported by Kaspersky Lab. All of these exploits behaved similarly, targeting high-value victims with backdoor connections.", "published": "2014-03-25T16:04:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/mh-370-related-phishing-attacks-spotted-against-government-targets/105024/", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-09-04T20:49:13"}, {"id": "EXTENSIBLE-ATTACK-PLATFORM-HAS-FAMILIAR-FEEL/103021", "type": "threatpost", "title": "Grand Theft Auto Panda APT Espionage Attack Platform", "description": "Researchers have discovered a mature attack platform that\u2019s enjoyed great success eluding detection and made good use of an exploit present in a number of espionage campaigns.\n\nThe attacks have concentrated largely on the automotive industry, hitting large companies primarily in Asia and only after being tested against activist targets in the region. Nicknamed [Grand Theft Auto Panda](<http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml>) by researcher Jon Gross of Cylance, the attacks rely on the well-worn exploits used against [CVE-2012-0158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158>). Malicious Microsoft Office documents are sent to the victim, who must interact with the .xls, .doc, or other file in a phishing email or website in order to exploit the vulnerability and inject malware or cause a service disruption.\n\n### Related Posts\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\n#### [Insecure Redis Instances at Core of Attacks Against Linux Servers](<https://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-linux-servers/120312/> \"Permalink to Insecure Redis Instances at Core of Attacks Against Linux Servers\" )\n\nSeptember 1, 2016 , 1:08 pm\n\n#### [Fairware Attacks Targeting Linux Servers](<https://threatpost.com/fairware-attacks-targeting-linux-servers/120254/> \"Permalink to Fairware Attacks Targeting Linux Servers\" )\n\nAugust 31, 2016 , 10:21 am\n\nThese attacks are not carried out on the same scale as those by the [Comment Crew](<http://threatpost.com/comment-crew-expos-new-level-china-attack-attribution-021913>) or other high profile APT gangs. Specific targets are chosen in these campaigns, and those targets are phished with convincing messaging, such as a negative customer service review as in one attack spotted by Cylance.\n\nThe platform has been around for a few years and can be used to steal not only system and network information, but documents and credentials, in addition to opening a backdoor connection to the attacker in order to move stolen data.\n\n\u201cIt\u2019s more of an extensible platform to where they can add in any functionality they want as a plug-in. It\u2019s more of an infection framework than any specific Trojan,\u201d Gross said. \u201cThey can modify the components over time and not have to really worry about it if the main component is never detected. This is more like extensible platform where they add in functionality, screen capture, key logging, they just send it up as a plug in.\u201d\n\nCVE-2012-0158, meanwhile, has been a favorite among nation-state attackers seeking to infiltrate corporations or activist groups for espionage or surveillance. It was detected in the [Icefog](<http://threatpost.com/icefog-espionage-campaign-is-hit-and-run-targeted-operation/102417>) and [NetTraveler](<http://threatpost.com/net-traveler-espionage-campaign-uncovered-links-to-gh0st-rat-titan-rain-found/100865>) campaigns discovered by Kaspersky Lab. Both were linked to operatives in China and follow similar patterns as GTA Panda in that that they\u2019re attacking both activists and manufacturing companies.\n\n\u201cWe see a lot people who are attacking industries, also attacking human rights groups. We\u2019ve always thought it just comes down as a directive from whomever to test this against them,\u201d Gross said. \u201cWe see a lot of new malware tested against human rights activists before it ever makes its way to the corporate environments. The original stuff I found was not targeted against human rights, but as I dug into it, I saw more and more stuff that was also additionally targeting human rights; and that was older stuff before they moved on to corporations.\u201d\n\n[NetTraveler](<http://threatpost.com/nettraveler-variant-adds-java-exploits-watering-hole-attacks-to-bag-of-tricks/102156>), for example, made use of the CVE-2012-0158 Office exploits to target the Uyghur and Tibetan activists, before moving on to oil and energy companies as well as diplomats and government agencies around the world.\n\n\u201cIt\u2019s kinda like a Darwinian evolution of malware. If it passes the first test, it\u2019s survival of the fittest. The things that don\u2019t get detected get reused,\u201d Gross said. \u201cHuman rights are almost like a playground. They\u2019re always a target, and we see a lot of malware that\u2019s used against them before anyone else.\u201d\n\nAs for the platform, its staying power is due to its stealth.\n\n\u201cThe big thing is moving functionality out of the actual files that get loaded into [victims\u2019 machines] because then it doesn\u2019t look suspicious until that file subsequently loads something else that performs the malicious activity,\u201d Gross said. \u201cThe malicious components are sitting there encrypted on disk, where your typical security product is not going to find that unless they already know about it.\u201d\n\nThere are also layers of encryption protecting the attack that shield it from detection, Gross said. As for the exploits, lax patching is likely the biggest culprit; in this case, CVE-2012-0158 was patched more than 18 months ago by Microsoft. Combine that with effective social engineering in the phishing messaging\u2014in particular from spoofed, trusted email addresses\u2014and that\u2019s a potent cocktail for trouble.\n\n\u201cIf you get emails that look like they\u2019re coming from trusted parties and people you usually communicate with, then our guard drops and we\u2019re much more likely to say OK, I\u2019ll open that,\u201d Gross said. \u201cI think they rely on that really heavily, especially with the activist community because they know all these people and they know who they communicate with on a regular basis and they try to make it look like it comes from them. Their guard\u2019s totally down and they\u2019re not worried about it.\u201d", "published": "2013-11-25T10:26:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/extensible-attack-platform-has-familiar-feel/103021/", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-09-04T20:48:25"}, {"id": "RED-OCTOBER-ATTACKERS-RETURN-WITH-CLOUDATLAS-APT-CAMPAIGN/109806", "type": "threatpost", "title": "Red October Attackers Return With CloudAtlas APT Campaign", "description": "The attackers behind the [Red October APT campaign](<https://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413>) that was exposed nearly two years ago have resurfaced with a new campaign that is targeting some of the same victims and using similarly constructed tools and spear phishing emails.\n\nRed October emerged in January 2013 and researchers found that the attackers were targeting diplomats in some Eastern European countries, government agencies and research organizations with malware that could steal data from desktops, mobile devices and FTP servers. The attackers had a wide variety of tools at their disposal and used unique victim IDs and had exploits for a number of vulnerabilities. The Red October attacks began with highly targeted spear phishing emails, some of which advertised a diplomatic car for sale.\n\nThe new CloudAtlas campaign, disclosed Wednesday by researchers at Kaspersky Lab, also uses that same spear phishing lure and as targeted some of the same victims hit by Red October. Researchers believe the same group may be behind both campaigns, based on similarities in tactics, tools and targets.\n\n\u201cIn August 2014, some of our users observed targeted attacks with a variation of [CVE-2012-0158](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) and an unusual set of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual things that are not very common in the APT world,\u201d researchers at Kaspersky said in an [analysis](<https://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/>) of the attack. \n\n\u201cAt least one of them immediately reminded us of RedOctober, which used a very similarly named spearphish: \u201cDiplomatic Car for Sale.doc\u201d. As we started digging into the operation, more details emerged which supported this theory. Perhaps the most unusual fact was that the Microsoft Office exploit didn\u2019t directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it.\u201d\n\nBoth Red October and CloudAtlas have targeted the same victims. Not just the same organizations, but some of the same machines.\n\nBoth Red October and CloudAtlas have targeted the same victims. Not just the same organizations, but some of the same machines. In one case, a machine was attacked only twice in the last two years, once by Red October and once by CloudAtlas. Both campaigns also hit victims in the same countries: Russia, Belarus, Kazakhstan and India. The two campaigns also use similar malware tools.\n\n\u201cBoth Cloud Atlas and RedOctober malware implants rely on a similar construct, with a loader and the final payload that is stored encrypted and compressed in an external file. There are some important differences though, especially in the encryption algorithms used \u2013 RC4 in RedOctober vs AES in Cloud Atlas,\u201d Kaspersky researchers said.\n\n\u201cThe usage of the compression algorithms in Cloud Atlas and RedOctober is another interesting similarity. Both malicious programs share the code for LZMA compression algorithm. In CloudAtlas it is used to compress the logs and to decompress the decrypted payload from the C&amp;C servers, while in Red October the \u2018scheduler\u2019 plugin uses it to decompress executable payloads from the C&amp;C.\u201d\n\nThe C2 infrastructure for the CloudAtlas campaign is somewhat unusual. The attackers are using accounts at Swedish cloud provider CloudMe to communicate with compromised machines.\n\n\u201cThe attackers upload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism,\u201d the researchers said.\n\nOfficials at CloudMe said on Twitter that they are working to delete any CloudAtlas C2 accounts.\n\n\u201cYes, we are permanently deleting all accounts that we can identify as involved in the [#inception](<https://twitter.com/hashtag/inception?src=hash>) [#cloudatlas](<https://twitter.com/hashtag/cloudatlas?src=hash>) [#apt](<https://twitter.com/hashtag/apt?src=hash>) [#surveillance](<https://twitter.com/hashtag/surveillance?src=hash>),\u201d the company [said](<https://twitter.com/CloudMe_com/status/542636290274246656>).\n\nResearchers at Blue Coat have also looked at the new campaign, which they\u2019ve named Inception, and found that the attackers have created tools to compromise a variety of mobile platforms, as well.\n\n\u201cThe framework continues to evolve. Blue Coat Lab researchers have recently found that the attackers have also created malware for Android, BlackBerry and iOS devices to gather information from victims, as well as seemingly planned MMS phishing campaigns to mobile devices of targeted individuals. To date, Blue Coat has observed over 60 mobile providers such as China Mobile, O2, Orange, SingTel, T-Mobile and Vodafone, included in these preparations, but the real number is likely far higher,\u201d Snorre Fagerland and Waylon Grange from Blue Coat Lab wrote.\n\n_Image from Flickr photos of [Kevin Dooley](<https://www.flickr.com/photos/pagedooley/>). _", "published": "2014-12-10T11:12:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/red-october-attackers-return-with-cloudatlas-apt-campaign/109806/", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-09-04T20:52:25"}, {"id": "RUSSIAN-APT28-GROUP-LINKED-TO-NATO-POLITICAL-ATTACKS/109049", "type": "threatpost", "title": "Russian APT28 Group Linked to NATO, Political Attacks", "description": "A Russian APT group tied to ongoing attacks against military and political targets in Eastern Europe and against NATO could also have ties to the [MiniDuke espionage campaign](<http://threatpost.com/miniduke-espionage-malware-hits-governments-europe-using-adobe-exploits-022713/77569>) uncovered more than a year ago.\n\nDubbed [APT28](<http://www.fireeye.com/resources/pdfs/apt28.pdf>) by FireEye in a report published last night, the Russian hackers have targeted Eastern European governments and military organizations, the government of the country of Georgia, as well as NATO and the Organization for Security and Cooperation in Europe (OSCE). The group, FireEye said, operates as a professional team with indicators of long-term software development planning and operational security tactics in place. They operate during business hours, on Moscow time, and use phishing lures specific to government and military officials of political and strategic value to the Russian government, the report said.\n\n### Related Posts\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\n#### [Insecure Redis Instances at Core of Attacks Against Linux Servers](<https://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-linux-servers/120312/> \"Permalink to Insecure Redis Instances at Core of Attacks Against Linux Servers\" )\n\nSeptember 1, 2016 , 1:08 pm\n\n#### [Fairware Attacks Targeting Linux Servers](<https://threatpost.com/fairware-attacks-targeting-linux-servers/120254/> \"Permalink to Fairware Attacks Targeting Linux Servers\" )\n\nAugust 31, 2016 , 10:21 am\n\nKaspersky Lab Global Research &amp; Analysis Team expert Aleks Gostev said this same group is also known as Sofacy and may have ties to the MiniDuke campaign. The [MiniDuke campaign also was used for political and military espionage](<http://threatpost.com/miniduke-apt-campaign-returns-with-new-targets-hacking-tools/107008>) but relied on a number of unusual tactics in a shotgun-style approach with 59 victims in 23 countries, most of those in Europe.\n\nLike MiniDuke, APT28 relies on phishing emails to penetrate organizations. The messages are spiked with convincing decoy documents that kick off a string of infections and backdoors where stolen information is ultimately encrypted and sent to a command and control server.\n\nLaura Galante, manager of threat intelligence at FireEye, said they have not been able to determine how successful APT28 has been with these three particular sets of targets.\n\n\u201cThat\u2019s part of the open question,\u201d Galante said. \u201cWe can see the targets in Eastern Europe by the lures they use and domains they\u2019ve registered, but we don\u2019t have perfect visibility on what they\u2019re doing with the targets they\u2019re able to compromise. If you can get into the email of an Eastern European military attache, what are they doing with the stolen communication? I would wager they\u2019re probably using it to think about their own policy decisions and shape their responses to military and political affairs.\u201d\n\nGalante said the malware and attack tools have been regularly updated and refined since 2007.\n\nGalante said the malware and attack tools have been regularly updated and refined since 2007. The development platforms are flexible and built for long-term use, and the coders are skilled not only at building custom malware, but also coding in barriers that complicate reverse engineering and other forensic analysis.\n\nFireEye said in its report that the malware samples include Russian language settings and were compiled in a Russian language build environment starting in 2007\u2014more than 96 percent of the samples were compiled between Monday and Friday and 89 percent between 8 a.m. and 6 p.m. UTC+4 time zone, FireEye said.\n\nThree primary targets all have political or military value to the Russian government. Attacks on one target, the Georgian government, ramped up following the 2008 war with Georgia and that country\u2019s subsequent growing ties to the West. Specifically, attacks against the Georgian Ministry of Internal Affairs and the Ministry of Defense were carried out. Spear phishing attacks tailored to particular people or organizations at each ministry were found, each with a different exploit for a Microsoft Office vulnerability.\n\n\u201cIn general, the group relies on older exploits, such as CVE-2012-0158, and it does not appear to be as sophisticated in terms of technical skills as other groups, for instance [Turla](<http://threatpost.com/epic-operation-kicks-off-multistage-turla-apt-campaign/107612>),\u201d Kaspersky\u2019s Gostev said.\n\nSeparate attacks were also discovered against the Eastern European Ministry of Foreign Affairs, the Polish government, NATO, OSCE, defense attaches working in Eastern European countries, and even attendees of European defense exhibitions, each following a similar pattern as other APT28 attacks, FireEye said.\n\n\u201cThe malware used in these attacks has some interesting features, but when you\u2019re thinking about how they\u2019re getting on networks, they\u2019re still relying on spear phishing,\u201d Galante said. \u201cThey\u2019re still requiring and dependent on a user mistake to get on a network.\u201d\n\nThe malware, Galante said, is custom built by the group. Once a victim opens a spear phishing email and executes the malware tucked in the tainted Office attachment, a dropper malware loads the Sofacy downloader which grabs second-stage malware from a command and control server, Galante said. A backdoor is established for anything from shellcode execution, credential theft and system monitoring. Implants are then dropped onto the victim\u2019s machine that include counter reverse-engineering features that disrupt static analysis of the malware. Stolen data is protected with RSA encryption as it moves from the victim to the controller, FireEye said.\n\nUnlike Chinese APT groups that have been unmasked, Galante said Russian groups don\u2019t generally steal intellectual property.\n\n\u201cWith the Russian group, the victim set is narrow and the type of operations occurring are distinct from intellectual property and financial data theft that the Chinese groups focus on,\u201d Galante said. \u201cThe majority of Chinese groups go after trade secrets to help their state-owned enterprises in China. Sure there is a military and political application to a lot of the information taken by Chinese groups, but the defining feature is secrets from economic sectors.\u201d", "published": "2014-10-28T12:23:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/russian-apt28-group-linked-to-nato-political-attacks/109049/", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-09-04T20:47:56"}, {"id": "NEW-INDIA-BASED-SPY-MALWARE-CAMPAIGN-TARGETING-PAKISTANIS/100664", "type": "threatpost", "title": "Spyware Campaign Originating in India Targeting Pakistanis", "description": "A new malware campaign has been hitting Pakistan hard over the last few months and after a little e-sleuthing, it appears the not-so-stealthy attacks have been originating from nearby India and exploiting a certificate to run its binaries.\n\nSecurity firm Eset has a full rundown of the campaign today on its [WeliveSecurity.com](<http://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/>) blog by malware researcher Jean-Ian Boutin, including an array of details involving how the attack has been executed and the types of payloads being deployed on unsuspecting Pakistanis\u2019 computers.\n\n### Related Posts\n\n#### [Data-Stealing Spyware Redpill Back, Targeting India](<https://threatpost.com/data-stealing-spyware-redpill-back-targeting-india-041113/77723/> \"Permalink to Data-Stealing Spyware Redpill Back, Targeting India\" )\n\nApril 11, 2013 , 7:50 pm\n\n#### [Pakistani Government Looking For Homegrown URL Blocking System](<https://threatpost.com/pakistani-government-looking-homegrown-url-blocking-system-022412/76257/> \"Permalink to Pakistani Government Looking For Homegrown URL Blocking System\" )\n\nFebruary 24, 2012 , 6:38 pm\n\n#### [Did Apple, RIM and Nokia Help The Indian Government Spy On The U.S.?](<https://threatpost.com/did-apple-rim-and-nokia-help-indian-government-spy-us-010912/76074/> \"Permalink to Did Apple, RIM and Nokia Help The Indian Government Spy On The U.S.?\" )\n\nJanuary 9, 2012 , 6:08 pm\n\nThis campaign relies on the exploitation of a bogus, digitally signed certificate from the Indian company Technical and Commercial Consulting Pvt. Ltd. Initially issued in 2011 and revoked for files used after March 2012. Still though the cert was still used to sign more than 70 different malicious binaries on and off from that March until September of that year.\n\nThe malware uses two vectors \u2013 the first is a well-known Word document vulnerability, CVE-2012-0158, that\u2019s been used in everything from the [Red October campaign](<http://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/>) to a bevy of [attacks against Tibetan and Uyghur users](<http://threatpost.com/researchers-uncover-targeted-attack-campaign-using-android-malware-032613/>) as of late. The other vector spread Word and PDF files that once opened, \u201cdownloads and executes additional malicious binaries.\u201d Some of those files are disguised as \u201cpakistandefencetoindiantopmiltrysecreat.exe\u201d and \u201cpakterrisiomforindian.exe,\u201d according to the blog post.\n\n[![pakistan_india](https://trtpost-wpengine.netdna-ssl.com/files/2013/05/pakistan_india.jpg)](<https://trtpost-wpengine.netdna-ssl.com/files/2013/05/pakistan_india.jpg>)\n\nPayloads are set up to glean data \u2013 screenshots, keystrokes, documents in the computer\u2019s trash \u2013 from users\u2019 computers and in turn send them to the attackers\u2019 servers. Interestingly enough, as Boutin notes, the information is being uploaded to the attacker\u2019s computer unencrypted, so it\u2019s easy to see what exactly is being transferred.\n\nThe blog also notes a number of Indian connections, including the mysterious Indian code signing certificate, references to Indian culture in the binaries and signing timestamps between 5:06 and 13:45, consistent with eight hour shifts worked in India.\n\nAn accompanying graph in the blog entry suggests that while other nations are being hit by the campaign, it\u2019s largely affecting Pakistan, with 79 percent of the targets affecting that South Asian country.\n\n[![detection_distribution](https://trtpost-wpengine.netdna-ssl.com/files/2013/05/detection_distribution.png)](<https://trtpost-wpengine.netdna-ssl.com/files/2013/05/detection_distribution.png>)\n\nA similar type of malware, [Redpill](<http://threatpost.com/data-stealing-spyware-redpill-back-targeting-india-041113/>), was found hijacking users in India last month. That campaign also stole screenshots, in addition to bank account credentials and email information and was the second coming of a malware strain that made its first appearance in 2008.\n\nBoutin\u2019s full research on the malware targeting Pakistan is being presented at the Caro Workshop, a security conference in Bratislava, Slovakia tomorrow. For more on his research, head to [ESET\u2019s blog](<http://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/>).", "published": "2013-05-16T16:04:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/new-india-based-spy-malware-campaign-targeting-pakistanis/100664/", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-09-04T20:53:09"}, {"id": "NAIKON-APT-GROUP-TIED-TO-CHINAS-PLA-UNIT-78020/114798", "type": "threatpost", "title": "China PLA Unit 78020 Cyberespionage Naikon APT", "description": "Chinese president Xi Jinping is supposed to have dinner this evening with U.S. president Barack Obama. Wonder if the name Ge Xing will come up?\n\nGe Xing is the subject of a joint [report](<http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf?t=1443030820943&submissionGuid=81f1c199-859f-41e9-955b-2eec13777720>) published this morning by ThreatConnect and Defense Group Inc., computer and national security service providers respectively. Ge is alleged to be a member of the People\u2019s Liberation Army unit 78020, a state-sponsored hacking team whose mission is to collect intelligence from political and military sources to advance China\u2019s interests in the South China Sea, a key strategic and economic region in Asia with plenty of ties to the U.S.\n\n### Related Posts\n\n#### [ShadowBrokers\u2019 Leak Has \u2018Strong Connection\u2019 to Equation Group](<https://threatpost.com/shadowbrokers-leak-has-strong-connection-to-equation-group/119941/> \"Permalink to ShadowBrokers\u2019 Leak Has \u2018Strong Connection\u2019 to Equation Group\" )\n\nAugust 17, 2016 , 7:30 am\n\n#### [Academics Devise New Way to Steal Data from Air-Gapped Computers](<https://threatpost.com/academics-devise-new-way-to-steal-data-from-air-gapped-computers/119858/> \"Permalink to Academics Devise New Way to Steal Data from Air-Gapped Computers\" )\n\nAugust 12, 2016 , 11:01 am\n\n#### [ProjectSauron APT On Par With Equation, Flame, Duqu](<https://threatpost.com/projectsauron-apt-on-par-with-equation-flame-duqu/119725/> \"Permalink to ProjectSauron APT On Par With Equation, Flame, Duqu\" )\n\nAugust 8, 2016 , 1:40 pm\n\nThe report connects PLA 78020 to the Naikon advanced persistent threat group, a state-sponsored outfit that has followed the APT playbook to the letter to infiltrate and steal sensitive data and intellectual property from military, diplomatic and enterprise targets in a number of Asian countries, as well as the United Nations Development Programme and the Association of Southeast Asian Nations (ASEAN).\n\nControl over the South China Sea is a focal point for China; through this region flows trillions of dollars of commerce and China has not been shy about claiming its share of the territory. The report states that China uses its offensive hacking capabilities to gather intelligence on adversaries\u2019 military and diplomatic intentions in the regions, and has leveraged the information to strengthen its position.\n\n\u201cThe South China Sea is seen as a key geopolitical area for China,\u201d said Dan Alderman, deputy director of DGI. \u201cWith Naikon, we see their activity as a big element of a larger emphasis on the region and the Technical Reconnaissance Bureau fitting into a multisector effort to influence that region.\u201d\n\nThe report is just the latest chess piece hovering over Jinping\u2019s U.S. visit this week, which began in earnest yesterday with a visit to Seattle and meetings with giant technology firms such as Microsoft, Apple and Google, among others. Those companies want to tap into the growing Chinese technology market and the government there is using its leverage to get them to support stringent Internet controls imposed by the Chinese government.\n\nA letter sent to American technology companies this summer, a _[New York Times](<http://www.nytimes.com/2015/09/17/technology/china-tries-to-extract-pledge-of-compliance-from-us-tech-firms.html>)_ report last week, said that China would ask American firms to store Chinese user data in China. China also reportedly asked U.S.-built software and devices sold in China to be \u201csecure and controllable,\u201d which likely means the Chinese would want backdoor access to these products, or access to private encryption keys.\n\nJinping, meanwhile, tried to distance himself from the fray when he said in a _Wall Street Journal _interview: \u201cCyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should be punished according to law and relevant international conventions.\u201d\n\n_Journal_ reporter [Josh Chin connected with Ge Xing over the phone](<http://www.wsj.com/articles/cyber-sleuths-track-hacker-to-chinas-military-1443042030>) and Ge confirmed a number of the dots connected in the report before hanging up on the reporter and threatening to report him to the police. While that never happened, the infrastructure connected to Ge and this slice of the Naikon APT group, was quickly shut down and taken offline.\n\nIn May, researchers at Kaspersky Lab published a report on [Naikon](<https://securelist.com/analysis/publications/69953/the-naikon-apt/>) and documented five years of activity attributed to the APT group. It describes a high volume of [geo-politically motivated attacks](<https://securelist.com/blog/research/70029/the-naikon-apt-and-the-msnmm-campaigns/>) with a high rate of success infiltrating influential organizations in the region. The group uses advanced hacking tools, most of which were developed externally and include a full-featured backdoor and exploit builder.\n\nLike most APT groups, they craft tailored spear phishing messages to infiltrate organizations, in this case a Word or Office document carrying an exploit for CVE-2012-0158, a favorite target for APT groups. The vulnerability is a buffer overflow in the ActiveX controls of a Windows library, MSCOMCTL.OCX. The exploit installs a remote administration tool, or RAT, on the compromised machine that opens a backdoor through which stolen data is moved out and additional malware and instructions can be moved in.\n\nChin\u2019s article describes a similar attack initiated by Ge, who is portrayed not only as a soldier, but as an academic. The researchers determined through a variety of avenues that Ge is an active member of the military, having published research as a member of the military, in addition to numerous postings to social media as an officer and via his access to secure locations believed to be headquarters to the PLA unit\u2019s technical reconnaissance bureau.\n\n\u201cDoing this kind of biopsy, if you will, of this threat through direct analysis of the technical and non-technical evidence allows us to paint a picture of the rest of this group\u2019s activity,\u201d said Rich Barger, CIO and cofounder of ThreatConnect. \u201cWe\u2019ve had hundreds of hashes, hundreds of domains, and thousands of IPs [related to PLA unit 78020]. Only looking at this from a technical lens only gives you so much. When you bring in a regional, cultural and even language aspect to it, you can derive more context that gets folded over and over into the technical findings and continues to refine additional meaning that we can apply to the broader group itself.\u201d\n\nThe report also highlights a number of operational security mistakes Ge made to inadvertently give himself away, such as using the same handle within the group\u2019s infrastructure, even embedding certain names in families of malware attributed to them. All of this combined with similar mistakes made across the command and control infrastructure and evidence pulled from posts on social media proved to be enough to tie Ge to the Naikon group and elite PLA unit that is making gains in the region.\n\n\u201cIf you look at where China is and how assertive they are in region, it might be a reflection of some of the gains and wins this group has made,\u201d Barger said. \u201cYou don\u2019t influence what they\u2019re influencing in the region if you don\u2019t have the intel support capabilities fueling that operational machine.\u201d", "published": "2015-09-24T13:37:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/naikon-apt-group-tied-to-chinas-pla-unit-78020/114798/", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-09-04T20:44:50"}, {"id": "TARGETED-ESPIONAGE-ATTACK-BORROWING-FROM-CYBERCRIMINALS/100705", "type": "threatpost", "title": "Safe Targeted Espionage Campaign Borrows from Cybercriminals", "description": "More and more, we\u2019re hearing about a crossing of the streams, if you will, between cybercrime and state-sponsored attackers. Elements of malware, code persistence and distribution techniques are bleeding over between one realm of hacking into the other as each side tries to fill gaps in their respective portfolios.\n\nThe most recent example comes from Safe, a targeted espionage malware campaign recently reported on by Trend Micro. Safe has all the elements of a state-sponsored endeavor yet it seems to have been written by a third-party professional software developer with textbook code snippets, extensive commenting throughout the source code and an air of commercialization.\n\n### Related Posts\n\n#### [ShadowBrokers\u2019 Leak Has \u2018Strong Connection\u2019 to Equation Group](<https://threatpost.com/shadowbrokers-leak-has-strong-connection-to-equation-group/119941/> \"Permalink to ShadowBrokers\u2019 Leak Has \u2018Strong Connection\u2019 to Equation Group\" )\n\nAugust 17, 2016 , 7:30 am\n\n#### [Attributing Advanced Attacks Remains Challenge For Researchers](<https://threatpost.com/attributing-advanced-attacks-remains-challenge-for-researchers/119508/> \"Permalink to Attributing Advanced Attacks Remains Challenge For Researchers\" )\n\nJuly 27, 2016 , 12:27 pm\n\n#### [Congressional Report: China Hacked FDIC And Agency Covered It Up](<https://threatpost.com/congressional-report-china-hacked-fdic-and-agency-covered-it-up/119276/> \"Permalink to Congressional Report: China Hacked FDIC And Agency Covered It Up\" )\n\nJuly 13, 2016 , 4:23 pm\n\n\u201cAs the tools used in targeted attacks are exposed, attackers may look for new custom malware to circumvent defenses. As a result, attackers may increasingly look to the cybercriminal underground for new malicious tools instead of developing their own tools for exclusive use,\u201d wrote Kyle Wilhoit and Nart Villeneuve in a paper.\n\nSafe, named after the filenames given to of the several malware components, has hit a relatively small number of targets, namely nongovernmental organizations (NGOs), technology companies, government agencies, academic research institutions and media companies. To date, nearly 12,000 unique IP addresses from more than 100 countries have connected to a pair of command and control infrastructures.\n\nEach command and control server had its own set of marching orders for the malware and targets. One snared just three live victims, the report said, most of those in Mongolia, while the other had significantly more, and most of those connections originated in India, the U.S., China and Pakistan.\n\nFrom clues discovered from a misconfiguration on one of the C&amp;C servers, the researchers were able to see all of its directories, view victim information and download backup archives that included source code used for the server and malware.\n\n\u201cThis is realistically about a developer who may be cybercrime oriented, but a malware campaign that is espionage oriented,\u201d Wilhoit told Threatpost, who added that this type of professional code development is not uncommon in either the cybercrime or cyberespionage arenas.\n\nAttacks begin with spear phishing emails containing spiked Microsoft Office documents exploiting a vulnerability in CVE-2012-0158. The spear phishing messages are targeting Tibetan activists with information about an interview with the exiled Dalai Lama. The attachment is titled: NBC Interview Excerpts. CVE-2012-0158 was also used in the [Red October espionage campaign](<http://threatpost.com/inside-1000-red-october-cyberespionage-malware-modules-011713/>) as well as other attacks against [Tibetan activists](<http://threatpost.com/researchers-uncover-targeted-attack-campaign-using-android-malware-032613/>) in China or in exile elsewhere worldwide.\n\nOnce the document is executed, the victim sees a decoy document while files are downloaded in the background, including a .dll file called Safe.Ext which contains the malware and SafeCredential.DAT which contains an Rc4 encryption key as well as command and control server information and the targets. Each victim is assigned a unique identifier. The second stage of the attack then executes and a number of data exfiltration plug-ins are installed, as well as a number of credential-stealing tools targeting the major browsers and Remote Desktop Protocol.\n\nAside from the malware, the two C&amp;C servers don\u2019t seem to have anything in common. While one uses Mongolian domain names, the second holds nonsensical domain names such as getapencil[.]com. No attack vectors have been discovered for the second server, Trend Micro said. The domains in the second server are registered to a wanxian at 126[.]com, the same address used to register another 17 domains including five C&amp;C servers used in the iMuler and Enfal malware campaigns, Trend Micro said.\n\nThe researchers\u2019 access to the source code illustrated the professionalism at play with this campaign. Apparently, the author had access to source code from a Chinese ISP and used that code in the building of the C&amp;C server.\n\n\u201cWe believe the malware author is a professional software engineer that is familiar with version control. We also found indicators that this individual is proficient in software development due to the high quality of the source code he used. The entire source code was explicitly written with future development in mind. It was modularized and heavily commented on in a way that allows further development even by several engineers,\u201d the paper said. \u201cThese qualities are traditionally seen in the work of professional software engineers that have been taught traditional computer science.\u201d\n\nWilhoit told Threatpost they are still investigating and would not release any specific information about targets or the types of data being exfiltrated.", "published": "2013-05-20T14:47:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/targeted-espionage-attack-borrowing-from-cybercriminals/100705/", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-09-04T20:47:20"}, {"id": "ESPIONAGE-MALWARE-WATERING-HOLE-ATTACKS-TARGET-DIPLOMATS/116600", "type": "threatpost", "title": "Proofpoint Warns Of New MSIL/Crimson Tied To Cyber Espionage", "description": "Diplomats and military personnel in India have been victimized in targeted espionage attacks that use a number of means of infection including phishing and watering hole sites.\n\nResearchers at Proofpoint this week published a report on [Operation Transparent Tribe](<https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf>), which was ongoing as of Feb. 11 when Proofpoint uncovered live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan. Proofpoint found IP addresses in Pakistan involved in the attacks, which involved an elaborate network of watering hole websites and multiple phishing email campaigns.\n\n### Related Posts\n\n#### [Five-Year \u2018Dust Storm\u2019 APT Campaign Targets Japanese Critical Infrastructure](<https://threatpost.com/five-year-dust-storm-apt-campaign-targets-japanese-critical-infrastructure/116436/> \"Permalink to Five-Year \u2018Dust Storm\u2019 APT Campaign Targets Japanese Critical Infrastructure\" )\n\nFebruary 24, 2016 , 2:11 pm\n\nThe sustained campaign\u2019s goal, Proofpoint said, was designed to allow attackers to drop a remote access Trojan it calls MSIL/Crimson. The Trojan had a variety of data exfiltration functions, including access to laptop cameras, screen capture functionality and keylogging.\n\nKevin Epstein, VP of threat operations center at Proofpoint told Threatpost that uncovering nation-state cyber espionage is one thing, but being able to expose it as it is happening is rare.\n\n\u201cThis is a multi-year and multi-vector campaign clearly tied to state sponsored espionage,\u201d he said. \u201cIn the world of crimeware, you rarely see this type of complexity. A nation state using multiple vectors, that\u2019s significant.\u201d\n\nHacking has become an increasingly popular and effective weapon in geopolitical conflicts, Epstein said. Groups with ties to most major powers are increasingly using targeted attack campaigns for political and competitive advantage and as a way to perpetrate attacks on critical infrastructure.\n\nEpstein said that typically security analysts only get wind of past campaigns that offer limited insight into pieces of the attack puzzle. With this recent discovery, he said, Proofpoint was able to identify all aspects of the campaign as it was being carried out.\n\n\u201cThis was an elaborate advanced persistent threat that required setting up multiple websites, multiple registrations, a build-out of full content sites and hosting sites,\u201d Epstein said.\n\nOne attack vector include email attachments that included weaponized RTF documents utilizing the four-year-old [CVE-2012-0158 Microsoft ActiveX vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) that dropped an embedded, encoded portable executable.\n\n\u201cMSIL/Crimson is a logical extension of existing malware. This discovery is less about the bits and bytes of a specific malware,\u201d Epstein said.\n\nMSIL/Crimson, Epstein said, is a stealthy package of exploits. After successful exploitation and decoding of the embedded payload, MSIL/Crimson will be executed on the victim\u2019s machine. The first stage in infection is a downloader whose purpose is to download the more fully featured remote access Trojan component, he said.\n\nOther attack vectors for MSIL/Crimson included fake blogs and news websites that contained links to malicious payloads via text and image hyperlinks and desirable files that contained MSIL/Crimson.\n\n\u201cThese were sites that generated content that was designed to interest people in the armed forces,\u201d Epstein said. \u201cThe attackers used topical and original content compelling enough to entice readers to share stories, links and downloads with others in the armed services.\u201d\n\nIn Proofpoint\u2019s analysis of the MSIL/Crimson it wrote: \u201cMany of the campaigns and attacks appear related by common IOCs, vectors, payloads, and language, although the exact nature and attribution associated with this advanced persistent threat remains under investigation.\u201d", "published": "2016-03-04T17:35:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/espionage-malware-watering-hole-attacks-target-diplomats/116600/", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-09-04T20:51:29"}, {"id": "NETTRAVELER-ATTACKERS-USING-NSA-PRISM-PROGRAM-AS-BAIT/101006", "type": "threatpost", "title": "NetTraveler Attackers Using PRISM Program as Bait", "description": "Never let it be said that attackers don\u2019t keep up with the news. The crew behind the [NetTraveler cyberespionage attacks](<https://threatpost.com/net-traveler-espionage-campaign-uncovered-links-to-gh0st-rat-titan-rain-found/>) is now using the news about the NSA\u2019s PRISM surveillance program as bait in a new spear-phishing campaign.\n\nSecurity researcher Brandon Dixon of 9bplus came across a malicious email this week that plays off the recent spate of news stories about the leaked data on the National Security Agency\u2019s PRISM program, which is designed to gather data on users from a variety of large Internet companies, reportedly including Microsoft, Apple, Google and others. The email is designed to look like it was sent by Jill Kelley, the woman who helped expose the affair that David Petraeus was having.\n\n### Related Posts\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\n#### [Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down](<https://threatpost.com/malvertising-campaign-pushing-neutrino-exploit-kit-shut-down/120322/> \"Permalink to Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down\" )\n\nSeptember 1, 2016 , 2:46 pm\n\n#### [Fairware Attacks Targeting Linux Servers](<https://threatpost.com/fairware-attacks-targeting-linux-servers/120254/> \"Permalink to Fairware Attacks Targeting Linux Servers\" )\n\nAugust 31, 2016 , 10:21 am\n\nDixon said that the message was targeted at someone involved with the Regional Tibet Youth Congress in India and included a malicious Word document that had many of the earmarks of the tactics used by the NetTraveler attackers.\n\n\u201cThe attachment is a Word document labeled \u2018Monitored List 1.doc\u2019, exploiting the always favored CVE-2012-0158 and can be tied back to the same actors involved in the [NetTraveler campaigns](<http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf>) brought to light by Kaspersky. It\u2019s funny to note that these actors are keeping up with their same techniques and infrastructure (not all of it) despite being 100% outed. Again, this sort of behavior shows poor operational security or a complete lack of care,\u201d Dixon wrote in his [analysis of the email](<http://blog.9bplus.com/prism-lure-in-use-by-nettraveler-attackers/>).\n\nThe text of the email is crammed with somewhat nonsensical text mentioning the [NSA PRISM program](<https://threatpost.com/always-outmanned-always-outgunned/>), Edward Snowden, the former NSA contractor responsible for the leaks, and the CIA. Once the malicious Word document is opened on a target machine, it writes several files to the hard drive, including one named \u201cdw20.exe\u201d, which has been seen in use by the NetTraveler crew in the past. Dixon said he wasn\u2019t able to identify the IP address or command and control server associated with the email campaign, but he believes there are likely additional emails out there like the one he found.\n\n\u201cWhatever the domain or IP address used in the attack is, you can be sure that there will be other emails and malicious documents like it. The NetTraveler attackers have been going strong since the early 2007-2008\u2032s and I doubt they will be stopping anytime soon,\u201d Dixon said.\n\nKurt Baumgartner, a security researcher at Kaspersky Lab who did some of the original research on the NetTraveler campaign, said the group behind the attacks is oddly incautious in its tactics.\n\n\u201cThese groups are surprisingly bold. Not only did we see this group maintain backdoors on their victim systems alongside Red October backdoors, but the NetTravler infrastructure continues to be in active use even after the operation has moved out of the shadows and into the public light,\u201d he said.\n\n_Image from Flickr photos of [LadyDragonflyCC](<https://secure.flickr.com/photos/ladydragonflyherworld/>). _", "published": "2013-06-18T10:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/nettraveler-attackers-using-nsa-prism-program-as-bait/101006/", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-09-04T20:50:50"}], "packetstorm": [{"id": "PACKETSTORM:112176", "type": "packetstorm", "title": "MS12-027 MSCOMCTL ActiveX Buffer Overflow", "description": "", "published": "2012-04-25T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/112176/MS12-027-MSCOMCTL-ActiveX-Buffer-Overflow.html", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-12-05T22:18:53"}], "seebug": [{"id": "SSV-72818", "type": "seebug", "title": "MS12-027 MSCOMCTL ActiveX Buffer Overflow", "description": "Summary: \nMicrosoft Office is the Microsoft released the very popular office software Suite.< br/>Microsoft Office 2003 SP3 version, 2007 SP2 version and SP3 version, the 2010 Gold version and the SP1 version of Office 2003 Web Components SP3 version SQL Server 2000 SP4 version, 2005 SP4 version and 2008 SP2 version SP3 version and the R2 version of BizTalk Server 2002 SP1 version of Commerce Server 2002 SP4 version, 2007 SP2 version, 2009 Gold version and the R2 version, Visual FoxPro 8.0 SP1, and 9. 0 SP2 version and the Visual Basic 6.0 Runtime version of the Common Controls in MSCOMCTL. OCX\uff081\uff09the ListView\uff082\uff09ListView2\uff083\uff09the TreeView and\uff084\uff09TreeView2 ActiveX controls in the presence of vulnerabilities. A remote attacker could exploit the vulnerability by triggering the\"System status\"of memory the destruction of a specially crafted a web Site, b Office document, or\uff08c\uff09. rtf file to execute arbitrary code. This vulnerability was discovered in 2012 4 months, also known as\"MSCOMCTL. OCX RCE vulnerability\" that.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-72818", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-07-28T13:05:26"}], "exploitdb": [{"id": "EDB-ID:18780", "type": "exploitdb", "title": "WIndows - MSCOMCTL ActiveX Buffer Overflow MS12-027", "description": "MS12-027 MSCOMCTL ActiveX Buffer Overflow. CVE-2012-0158. Remote exploit for windows platform", "published": "2012-04-25T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/18780/", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-02-02T10:26:20"}], "fireeye": [{"id": "FIREEYE:840F71EB7FEBB100F9428F0841BEF2CF", "type": "fireeye", "title": "China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets", "description": "FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat (APT) group and other researchers refer to as \u201cadmin@338,\u201d may have conducted the activity.[1] The email messages contained malicious documents with a malware payload called LOWBALL. LOWBALL abuses the Dropbox cloud storage service for command and control (CnC). We collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be a second, similar operation. The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts.[2][3]\n\n### A Cyber Campaign Likely Intended to Monitor Hong Kong Media During a Period of Crisis\n\nThe threat group has previously used newsworthy events as lures to deliver malware.[4] They have largely targeted organizations involved in financial, economic and trade policy, typically using publicly available RATs such as Poison Ivy, as well some non-public backdoors.[5]\n\nThe group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China. The threat group\u2019s latest activity coincided with the announcement of criminal charges against democracy activists.[6] During the past 12 months, Chinese authorities have faced several challenges, including large-scale protests in Hong Kong in late 2014, the precipitous decline in the stock market in mid-2015, and the massive industrial explosion in Tianjin in August 2015. In Hong Kong, the pro-democracy movement persists, and the government recently denied a professor a post because of his links to a pro-democracy leader.[7]\n\nMultiple China-based cyber threat groups have targeted international media organizations in the past. The targeting has often focused on Hong Kong-based media, particularly those that publish pro-democracy material. The media organizations targeted with the threat group\u2019s well-crafted Chinese language lure documents are precisely those whose networks Beijing would seek to monitor. Cyber threat groups\u2019 access to the media organization\u2019s networks could potentially provide the government advance warning on upcoming protests, information on pro-democracy group leaders, and insights needed to disrupt activity on the Internet, such as what occurred in mid-2014 when several websites were brought down in denial of service attacks.[8]\n\n### Threat Actors Use Spear Phishing Written in Traditional Chinese Script in Attempted Intrusions\n\nIn August 2015, the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations, including newspapers, radio, and television. The first email references the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. The second email references a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.[9]\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/hongkongdropbox/hongkongdropboxfig1.jpg)\n\nFigure 1: Lure Screenshots\n\nThe group\u2019s previous activities against financial and policy organizations have largely focused on spear phishing emails written in English, destined for Western audiences. This campaign, however, is clearly designed for those who read the traditional Chinese script commonly used in Hong Kong.\n\n### LOWBALL Malware Analysis\n\nThe spear phishing emails contained three attachments in total, each of which exploited an older vulnerability in Microsoft Office (CVE-2012-0158):\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nb9208a5b0504cb2283b1144fc455eaaa\n\n| \n\n\u4f7f\u547d\u516c\u6c11\u904b\u52d5 \u6211\u5011\u7684\u7570\u8c61.doc \n \nec19ed7cddf92984906325da59f75351\n\n| \n\n\u65b0\u805e\u7a3f\u53ca\u516c\u4f48.doc \n \n6495b384748188188d09e9d5a0c401a4\n\n| \n\n(\u4ee3\u767c)[\u91c7\u8a2a\u901a\u77e5]\u6e2f\u5927\u6821\u53cb\u95dc\u6ce8\u7d44\u905e\u4fe1\u884c\u52d5.doc \n \nIn all three cases, the payload was the same:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\ntime.exe \n \nThis backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage \nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.\n\nAfter execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443 for the files:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\nWmiApCom \n \n79b68cdd0044edd4fbf8067b22878644\n\n| \n\nWmiApCom.bat \n \nThe \u201cWmiApCom.bat\u201d file is simply used to start \u201cWmiApCom\u201d, which happens to be the exact same file as the one dropped by the malicious Word documents. However, this is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.\n\nThe threat group monitors its Dropbox account for responses from compromised computers. Once the LOWBALL malware calls back to the Dropbox account, the attackers will create a file called \u201c[COMPUTER_NAME]_upload.bat\u201d which contains commands to be executed on the compromised computer. This batch file is then executed on the target computer, with the results uploaded to the attackers\u2019 Dropbox account in a file named \u201c[COMPUTER_NAME]_download\u201d.\n\nWe observed the threat group issue the following commands:\n\n@echo off \n \n--- \n \ndir c:\\ &gt;&gt; %temp%\\download \n \nipconfig /all &gt;&gt; %temp%\\download \n \nnet user &gt;&gt; %temp%\\download \n \nnet user /domain &gt;&gt; %temp%\\download \n \nver &gt;&gt; %temp%\\download \n \ndel %0 \n \n@echo off \n \ndir \"c:\\Documents and Settings\" &gt;&gt; %temp%\\download \n \ndir \"c:\\Program Files\\ \n \n\" &gt;&gt; %temp%\\download \n \nnet start &gt;&gt; %temp%\\download \n \nnet localgroup administrator &gt;&gt; %temp%\\download \n \nnetstat -ano &gt;&gt; %temp%\\download \n \nThese commands allow the threat group to gain information about the compromised computer and the network to which it belongs. Using this information, they can decide to explore further or instruct the compromised computer to download additional malware.\n\nWe observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command:\n\n@echo off \n \n--- \n \nren \"%temp%\\upload\" audiodg.exe \n \nstart %temp%\\audiodg.exe \n \ndir d:\\ &gt;&gt; %temp%\\download \n \nsysteminfo &gt;&gt; %temp%\\download \n \ndel %0 \n \nWe have previously observed the admin@338 group use BUBBLEWRAP. This particular sample connected to the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat group, although the IP had not been used for some time prior to this most recent activity:\n\nMD5\n\n| \n\n| \n \n---|---|--- \n \n0beb957923df2c885d29a9c1743dd94b\n\n| \n\naccounts.serveftp.com\n\n| \n\n59.188.0.197 \n \nBUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.\n\n### A Second Operation\n\nFireEye works closely with security researchers and industry partners to mitigate cyber threats, and we collaborated with Dropbox to respond to this activity. The Dropbox security team was able to identify this abuse and put countermeasures in place.\n\nOur cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient evidence to verify if admin@338 is behind it. The attack lifecycle followed the same pattern, though some of the filenames were different, which indicates that there may be multiple versions of the malware. In addition, while the operation targeting Hong Kong-based media involved a smaller number of targets and a limited duration, we suspect this second operation involves up to 50 targets. At this time, we are unable to identify the victims.\n\nIn this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat, upload.rar, and period.txt, download.txt or silent.txt) in a directory on a Dropbox account. The malware beacons to this directory using the hardcoded API token and attempts to download these files (which are deleted from the Dropbox account after the download):\n\n * upload.bat, a batch script that the compromised machine will execute\n * upload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an executable (sometimes named rar.exe) which the batch script will run and almost always uploads the results of download.rar to the cloud storage account\n * silent.txt and period.txt, small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC\n\nThe threat actor will then download the results and then delete the files from the cloud storage account.\n\n# Conclusion\n\nLOWBALL is an example of malware that abuses cloud storage services to mask its activity from network defenders. The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets.\n\n_A version of this article appeared first on the __FireEye Intelligence Center__. The FireEye Intelligence Center provides access to strategic intelligence, analysis tools, intelligence sharing capabilities, and institutional knowledge based on over 10 years of FireEye and Mandiant experience detecting, responding to and tracking advanced threats. FireEye uses a proprietary intelligence database, along with the expertise of our Threat Intelligence Analysts, to power the Intelligence Center._\n\n[1] FireEye currently tracks this activity as an \u201cuncategorized\u201d group, a cluster of related threat activity about which we lack information to classify with an advanced persistent threat number.\n\n[2] FireEye. Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. <https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf>\n\n[3] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. \n\n[4] Moran, Ned and Alex Lanstein. FireEye. \u201cSpear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370.\u201d 25 March 2014. https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html.\n\n[5] Moran, Ned and Thoufique Haq. FireEye. \u201cKnow Your Enemy: Tracking a Rapidly Evolving APT Actor.\u201d 31 October 2013. FireEye. Poison Ivy: Assessing Damage and Extracting Intelligence\n\n[6] BBC News. \u201cHong Kong student leaders charged over Umbrella Movement.\u2019\u201d 27 August 2015. http://www.bbc.com/news/world-asia-china-34070695.\n\n[7] Zhao, Shirley, Joyce Ng, and Gloria Chan. \u201cUniversity of Hong Kong\u2019s council votes 12-8 to reject Johannes Chan\u2019s appointment as pro-vice-chancellor.\u201d 30 September 2015. http://www.scmp.com/news/hong-kong/education-community/article/1862423/surprise-move-chair-university-hong-kong.\n\n[8] Wong, Alan. Pro-Democracy Media Company\u2019s Websites Attacked. \u201cPro-Democracy Media Company\u2019s Websites Attacked.\u201d New York Times. 18 June 2014. http://sinosphere.blogs.nytimes.com/2014/06/18/pro-democracy-media-companys-websites-attacked/.\n\n[9] \u201cHKU concern group raises proxy fears in key vote.\u201d EIJ Insight. 31 August 2015. http://www.ejinsight.com/20150831-hku-concern-group-raises-proxy-fears-in-key-vote/.\n", "published": "2015-12-01T08:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", "cvelist": ["CVE-2012-0158"], "lastseen": "2017-03-07T16:24:18"}, {"id": "FIREEYE:3A68F8390FB41E5497C5AA3B9BEBA5A6", "type": "fireeye", "title": "APT Group Sends Spear Phishing Emails to Indian Government Officials", "description": "**Introduction** \nOn May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets.\n\nThis group frequently uses a toolset that consists of a downloader and modular framework that uses plugins to enhance functionality, ranging from keystroke logging to targeting USB devices. We initially reported on this threat group and their UPDATESEE malware in our FireEye Intelligence Center in February 2016. Proofpoint also discussed the threat actors, whom they call [Transparent Tribe](<https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe>), in a March blog post.\n\nIn this latest incident, the group registered a fake news domain, timesofindiaa[.]in, on May 18, 2016, and then used it to send spear phishing emails to Indian government officials on the same day. The emails referenced the Indian Government\u2019s [7th Central Pay Commission (CPC)](<http://zeenews.india.com/business/news/economy/7th-pay-commission-govt-employees-likely-to-get-huge-pay-checks-by-june-july-2016_1880390.html>). These Commissions periodically review the pay structure for Indian government and military personnel, a topic that would be of interest to government employees.\n\n**Malware Delivery Method** \nIn all emails sent to these government officials, the actor used the same attachment: a malicious Microsoft Word document that exploited the [CVE-2012-0158 vulnerability](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to drop a malicious payload.\n\nIn previous incidents involving this threat actor, we observed them using malicious documents hosted on websites about the Indian Army, instead of sending these documents directly as an email attachment.\n\nThe email (Figure 1) pretends to be from an employee working at Times of India (TOI) and requests the recipient to open the attachment associated with the 7th Pay Commission. Only one of the recipient email addresses was publicly listed on a website, suggesting that the actor harvested the other non-public addressees through other means.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/APT%20India%20Gov/apt-india-gov-fig1.png)** \nFigure 1: Contents of the Email**\n\nA review of the email header data from the spear phishing messages showed that the threat actors sent the emails using the same infrastructure they have used in the past.\n\n**Exploit Analysis** \nDespite being an older vulnerability, many threat actors continue to leverage [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to exploit Microsoft Word. This exploit file made use of the same shellcode that we have observed this actor use across a number of spear phishing incidents.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/APT%20India%20Gov/apt-india-gov-fig2.png) \n\n\n**Figure 2: Exploit Shellcode used to Locate and Decode Payload**\n\nThe shellcode (Figure 2) searches for and decodes the executable payload contained in memory between the beginning and ending file markers 0xBABABABA and 0xBBBBBBBB, respectively. After decoding is complete, the shellcode proceeds to save the executable payload into %temp%\\svchost.exe and calls WinExec to execute the payload. After the payload is launched, the shellcode runs the following commands to prevent Microsoft Word from showing a recovery dialog:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/APT%20India%20Gov/apt-india-gov-fig3.PNG)\n\nLastly, the shellcode overwrites the malicious file with a decoy document related to the Indian defense forces\u2019 pay scale / matrix (Figure 3), displays it to the user and terminates the exploited instance of Microsoft Word.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/APT%20India%20Gov/apt-india-gov-fig4.PNG) \n\n\n**Figure 3: Decoy Document related to 7th Pay Commission**\n\nThe decoy document's metadata (Figure 4) suggests that it was created fairly recently by the user \u201cBhopal\u201d.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/APT%20India%20Gov/apt-india-gov-fig5.png) \n\n\n**Figure 4: Metadata of the Document**\n\nThe payload is a backdoor that we call the Breach Remote Administration Tool (BreachRAT) written in C++. We had not previously observed this payload used by these threat actors. The malware name is derived from the hardcoded PDB path found in the RAT: C:\\Work\\Breach Remote Administration Tool\\Release\\Client.pdb. This RAT communicates with 5.189.145.248, a command and control (C2) IP address that this group has used previously with other malware, including DarkComet and NJRAT.\n\nThe following is a brief summary of the activities performed by the dropped payload:\n\n1\\. Decrypts resource 1337 using a hard-coded 14-byte key \"MjEh92jHaZZOl3\". The encryption/decryption routine (refer to Figure 5) can be summarized as follows:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/APT%20India%20Gov/apt-india-gov-fig6.png) \n\n\n**Figure 5: Encryption/ Decryption Function**\n\n * Generate an array of integers from 0x00 to 0xff\n * Scrambles the state of the table using the given key\n * Encrypts or decrypts a string using the scrambled table from (b).\n * A python script, which can be used for decrypting this resource, is provided in the appendix below.\n\n2\\. The decrypted resource contains the C2 server\u2019s IP address as well as the mutex name.\n\n3\\. If the mutex does not exist and a Windows Startup Registry key with name \u201cSystem Update\u201d does not exist, the malware performs its initialization routine by:\n\n * Copying itself to the path %PROGRAMDATA%\\svchost.exe\n * Sets the Windows Startup Registry key with the name \u201cSystem Update\u201d which points to the above dropped payload.\n\n4\\. The malware proceeds to connect to the C2 server at 5.189.145.248 at regular intervals through the use of TCP over port 10500. Once a successful connection is made, the malware tries to fetch a response from the server through its custom protocol.\n\n5\\. Once data is received, the malware skips over the received bytes until the start byte 0x99 is found in the server response. The start byte is followed by a DWORD representing the size of the following data string.\n\n6\\. The data string is encrypted with the above-mentioned encryption scheme with the hard-coded key \u201cAjN28AcMaNX\u201d.\n\n7\\. The data string can contain various commands sent by the C2 server. These commands and their string arguments are expected to be in Unicode. The following commands are accepted by the malware:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/APT%20India%20Gov/apt-india-gov-fig7.PNG)\n\n**Conclusion** \nAs with previous spear-phishing attacks seen conducted by this group, topics related to Indian Government and Military Affairs are still being used as the lure theme in these attacks and we observed that this group is still actively expanding their toolkit. It comes as no surprise that cyber attacks against the Indian government continue, given the historically tense relations in the region.\n\n**Appendix**\n\n****Encryption / Decryption algorithm translated into Python****\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/APT%20India%20Gov/appendix%20spear%20phishing.png)\n", "published": "2016-06-03T01:30:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "cvelist": ["CVE-2012-0158"], "lastseen": "2017-03-07T16:24:17"}, {"id": "FIREEYE:9242936BDC44C87F17F05E9388AC5EAC", "type": "fireeye", "title": "PowerShell used for spreading Trojan.Laziok through Google Docs", "description": "##### **Introduction**\n\nThrough our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning. After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down.\n\n##### **The Payload**\n\nTrojan.Laziok reportedly serves as a reconnaissance tool that attackers use to collect information about systems they have compromised. It has been seen previously in a cyber espionage campaign targeting the energy sector, particularly in the Middle East[i]. In that campaign, the malware was spread using spam emails with malicious attachments exploiting the CVE-2012-0158 vulnerability.\n\nThe techniques used for delivery in this case involve exploiting users running versions of Internet Explorer that support VBScript.\n\n##### **Attack Delivery Point**\n\nThe attacker stored the first stage of the attack on the Polish domain hosting site cba[.]pl. As seen in Figure 1, the first stage initiates the attack by running obfuscated JavaScript from www.younglean. cba[.]pl/lean/.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Laziok/Fig1.jpg)\n\nFigure 1. Obfuscated code shown in the response\n\nOnce decoded, the JavaScript unpacks and runs vulnerability CVE-2014-6332 through VBScript execution in Internet Explorer (versions 3 to 11), exploiting the memory corruption vulnerability in Windows Object Linking and Embedding (OLE) Automation to bypass operating system security utilities and other protections and thus enabling attackers to enter into \u201dGodMode\u201d function. CVE-2014-6332 usage, along with GodMode privileges abuse, has been used as a combination since late 2014 via a known PoC[ii], as seen Figures 2a and 2b:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Laziok/Fig2a.jpg)\n\nFigure 2a. CVE-2014-6332 usage\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Laziok/Fig2b.jpg)\n\nFigure 2b. Function call to runmumaa() after \u201cGodMode\u201d access changing the safemode flags\n\nNext, the runmaa() function downloads the malicious payload from Google Docs through PowerShell. PowerShell is used to download malware and execute it inside defined %APPDATA% environment variable path via DownloadFile and ShellExecute commands. All VBScript instructions and PowerShell scripts are part of the obfuscated script inside document.write(unescape), shown in Figure 1.\n\nPowerShell is also useful for bypassing anti-virus software because it is able to inject payloads directly in memory. We have previously discussed [active PowerShell data stealing campaigns from Russia](<mailto:https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html>)[iii]. It seems the technique is still popular among campaigns involving infostealers, and this one was able to evade Google Docs security checks. The payload download link from Google Docs \u2013 seen in Figure 3 showing the de-obfuscated code \u2013 fetched live malware for victims who ended up on the aforementioned Polish website.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Laziok/Fig3.jpg)\n\nFigure 3. Using PowerShell to fetch payload hosted on Google docs link\n\n##### **Payload Details**\n\nThe downloaded payload is infostealer Trojan.Laziok, as evidenced by its callback trace and the presence of the following data:\n\n00406471 PUSH 21279964.00414EED ASCII \"open\" \n0040649C MOV EDX,21279964.004166A8 ASCII \"idcontact.php?COMPUTER=\" \n004064B1 MOV EDX,21279964.00415D6D ASCII \"&amp;steam=\" \n004064D2 MOV EDX,21279964.00416D96 ASCII \"&amp;origin=\" \n004064F3 MOV EDX,21279964.00416659 ASCII \"&amp;webnavig=\" \n00406514 MOV EDX,21279964.00416B17 ASCII \"&amp;java=\" \n00406535 MOV EDX,21279964.00415601 ASCII \"&amp;net=\" \n00406556 MOV EDX,21279964.00414F76 ASCII \"&amp;memoireRAMbytes=\" \n0040656B MOV EDX,21279964.0041628C ASCII \"&amp;diskhard=\" \n0040658E MOV EDX,21279964.00414277 ASCII \"&amp;avname=\" \n004065AF MOV EDX,21279964.00416BFC ASCII \"&amp;parefire=\" \n004065D0 MOV EDX,21279964.0041474A ASCII \"&amp;install=\" \n004065E5 MOV EDX,21279964.00414E12 ASCII \"&amp;gpu=\" \n00406606 MOV EDX,21279964.004164B7 ASCII \"&amp;cpu=\" \n00406659 MOV EDX,21279964.004170F9 ASCII \"bkill.php\" \n004066B9 MOV EDX,21279964.00415B79 ASCII \"0000025C00000C6B000008BB000006ED0000088900000453000004CE0000054100000B75\" \n004066ED MOV EDX,21279964.004149CD ASCII \"install_info.php\" \n00406735 MOV EDX,21279964.00415951 ASCII \"pinginfo.php\" \n00406772 MOV EDX,21279964.00416B6B ASCII \"get.php?IP=\" \n00406787 MOV EDX,21279964.0041463F ASCII \"&amp;COMPUTER=\" \n0040679C MOV EDX,21279964.00416DF5 ASCII \"&amp;OS=\" \n004067B1 MOV EDX,21279964.00415CB8 ASCII \"&amp;COUNTRY=\" \n004067C6 MOV EDX,21279964.00416069 ASCII \"&amp;HWID=\" \n004067DB MOV EDX,21279964.00414740 ASCII \"&amp;INSTALL=\" \n004067F0 MOV EDX,21279964.00415BE3 ASCII \"&amp;PING=\" \n00406805 MOV EDX,21279964.004158E2 ASCII \"&amp;INSTAL=\" \n0040681A MOV EDX,21279964.00414D3E ASCII \"&amp;V=\" \n0040682F MOV EDX,21279964.00414E5D ASCII \"&amp;Arch=\" \n00406872 MOV EDX,21279964.00414166 ASCII \"post.php\" \n00406899 MOV EDX,21279964.00414EB0 ASCII \"*0\"\n\nAbove instructions of the payload, when unpacked, highlight the typical traits of Trojan.Laziok. The infostealer tries to collect information about computer name, CPU details, RAM size, location (country), and installed software and antivirus (AV). Our MVX engine also shows that it attempts to access popular AV files, such as installer files for Kaspersky, McAfee, Symantec and Bitdefender. It also blends in by copying itself to well-known folders and processes such as:\n\nC:\\Documents and Settings\\admin\\Application Data\\System\\Oracle\\smss.exe\n\nThe payload attempts to call back to a known bad Polish server [hxxp://]193.189.117[.]36]\n\nWe observed the first instance of this attack on March 13, 2016. The malware was available on Google Docs until we alerted Google about its presence. Users are not usually able to download malicious content from Google Docs because Google actively scans and blocks malicious content. The fact that this sample was available and downloadable on Google Docs suggests that the malware evaded Google\u2019s security checks. Following our notification, Google promptly removed the malicious file and it can no longer be fetched.\n\n##### **Conclusion**\n\nFireEye\u2019s multi-flow detection mechanism catches this at every level, from the point of entry to the callback \u2013 and the malware is not able to bypass FireEye sandbox security. PowerShell data stealing campaigns have also been observed spreading through document files with embedded macros, so corporate environments need to be extra careful regarding the policy and regulation of PowerShell usage \u2013 especially since the abuse can involve some trusted sources that sometimes have exemptions, with whitelists from some security vendors being one example. Or they can keep using FireEye. \n\n\n[i] http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector \n[ii] http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/ \n[iii] https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html\n", "published": "2016-04-21T13:45:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.fireeye.com/blog/threat-research/2016/04/powershell_used_for.html", "cvelist": ["CVE-2014-6332", "CVE-2012-0158"], "lastseen": "2017-03-07T16:24:19"}, {"id": "FIREEYE:38120E3D3979DCD57297419690545DDD", "type": "fireeye", "title": "How RTF malware evades static signature-based detection", "description": "#### **History**\n\nRich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as [CVE-2010-3333](<http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx>) and [CVE-2014-1761](<https://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/>) were caused by errors in implementing RTF parsing logic.\n\nIn fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) and [CVE-2015-1641](<https://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1>) are two typical examples of such vulnerabilities \u2013 their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.\n\nAnother type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.\n\nPlenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.\n\nIn this blog, we present some common evasive tricks used by malicious RTFs. \n\n#### **Common obfuscations**\n\nLet\u2019s discuss a couple different RTF obfuscation strategies.\n\n**1\\. CVE-2010-3333**\n\nThis vulnerability, reported by Team509 in 2009, is a typical stack overflow bug. Exploitation of this vulnerability is so easy and reliable that it is still used in the wild, seven years after its discovery! Recently, attackers exploiting this vulnerability [targeted an Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>).\n\nThe root cause of this vulnerability was that the Microsoft RTF parser has a stack-based buffer overflow in the procedure parsing the pFragments shape property. Crafting a malicious RTF to exploit this vulnerability allows attackers to execute arbitrary code. Microsoft has since addressed the vulnerability, but many old versions of Microsoft Office were affected, so its threat rate was very high.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab1.png)\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab2.png)\n\nThe Microsoft Office RTF parser lacks proper bounds checking when copying source data to a limited stack-based buffer. The pattern of this exploit can be simplified as follows:\n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv A;B;[word1][word2][word3][hex value array]}}}} \n \n--- \n \nBecause pFragments is rarely seen in normal RTF files, many firms would simply detect this keyword and the oversized number right after \\sv in order to catch the exploit using YARA or Snort rules. This method works for samples that are not obfuscated, including samples generated by Metasploit. However, against in-the-wild samples, such signature-based detection is insufficient. For instance, [the malicious RTF targeting the Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>) is a good sample to illustrate the downside of the signature based detection. Figure 1 shows this RTF document in a hex editor. We simplified Figure 1 because of the space limitations \u2013 there were plenty of dummy symbols such as { } in the initial sample.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Fig1.png)\n\nFigure 1. Obfuscated sample of CVE-2010-3333\n\nAs we can see, the pFragments keyword has been split into many pieces that would bypass most signature based detection. For instance, most anti-virus products failed to detect this sample on first submission to VirusTotal. In fact, not only will the split pieces of \\sn be combined together, pieces of \\sv will be combined as well. The following example demonstrates this obfuscation:\n\nObfuscated\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn2 pF}{\\sn44 ragments}{\\sv 1;28}{\\sv ;fffffffffffff\u2026.}}}} \n \n---|--- \n \nClear\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;28 ;fffffffffffff\u2026.}}}} \n \nWe can come up with a variety of ideas different from the aforementioned sample to defeat static signature based detection.\n\nNotice the mixed \u2018\\x0D\u2019 and \u2018\\x0A\u2019 \u2013 they are \u2018\\r\u2019 and \u2018\\n\u2019 and the RTF parser would simply ignore them.\n\n**2\\. Embedded objects**\n\nUsers can embed variety of objects into RTF, such as OLE (Object Linking and Embedding) control objects. This makes it possible for OLE related vulnerabilities such as CVE-2012-0158 and CVE-2015-1641 to be accommodated in RTF files. In addition to exploits, it is not uncommon to see executable files such as PE, CPL, VBS and JS embedded in RTF files. These files require some form of social engineering to trick users into launching the embedded objects. We have even seen some Data Loss Prevention (DLP) solutions embedding PE files inside RTF documents. It\u2019s a bad practice because it cultivates poor habits in users.\n\nLet\u2019s take a glance at [the embedded object syntax first](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab3.png)\n\n&lt;objtype&gt; specifies the type of object. \\objocx is the most common type used in malicious RTFs for embedding OLE control objects; as such, let\u2019s take it as an example. The data right after \\objdata is OLE1 native data, [defined as](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n&lt;data&gt;\n\n| \n\n(\\binN #BDATA) | #SDATA \n \n---|--- \n \n#BDATA\n\n| \n\nBinary data \n \n#SDATA\n\n| \n\nHexadecimal data \n \nAttackers would try to insert various elements into the &lt;data&gt; to evade static signature detection. Let\u2019s take a look at some examples to understand these tricks:\n\na. For example, \\binN can be swapped with #SDATA. The data right after \\binN is raw binary data. In the following example, the numbers 123 will be treated as binary data and hence translated into hex values 313233 in memory.\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin3 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nLet\u2019s look at another example:\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin41541544011100001100000000000000000000000000000000000000000003 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nIf we try to call atoi or atol with the numeric parameter string marked in red in the table above, we will get 0x7fffffff while its true value should be 3.\n\nThis happens because [\\bin takes a 32-bit signed integer numeric parameter](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>). You would think that the RTF parser calls atoi or atol to convert the numeric string to an integer; however, that\u2019s is not the case. Microsoft Word\u2019s RTF parser does not use these standard C runtime functions. Instead, the atoi function in Microsoft Word\u2019s RTF parser is implemented as follows:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab4.png)\n\nb. \\ucN and \\uN \nBoth of them are ignored, and the characters right after \\uN would not be skipped.\n\nc. The space characters: 0x0D (\\n), 0x0A (\\r), 0x09 (\\t) are ignored.\n\nd. Escaped characters \nRTF has some special symbols that are reserved. For normal use, users will need to escape these symbols. Here's an incomplete list:\n\n\\\\} \n\\\\{ \n\\% \n\\\\+ \n\\\\- \n\\\\\\ \n\\'hh\n\nAll of those escaped characters are ignored, but there\u2019s an interesting situation with \\\u2019hh. Let\u2019s look into an example first:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 341\\\u2019112345 } \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 342345} \n \nWhen parsing \\\u201911, the parser will treat the 11 as an encoded hex byte. This hex byte is then discarded before it continues parsing the rest of objdata. The 1 preceding \\\u201911 has also been discarded. Once the RTF parser parses the 1 right before \\\u201911, which is the higher 4-bit of an octet, and then immediately encounters \\\u201911, the higher 4-bit would be discarded. That\u2019s because the internal state for decoding the hex string to binary bytes has been reset.\n\nThe table below shows the processing procedure, the two 1s in the yellow rows are from \\\u201911. It\u2019s clear that the mixed \\\u201911 disorders the state variable, which causes the higher 4-bit of the second byte to be discarded:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab5.png)\n\ne. Oversized control word and numeric parameter \nThe [RTF specification](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>) says that a control word\u2019s name cannot be longer than 32 letters and the numeric parameter associated with the control word must be a signed 16-bit integer or signed 32-bit integer, but the RTF parser of Microsoft Office doesn\u2019t strictly obey the specification. Its implementation only reserves a buffer of size 0xFF for storing the control word string and the numeric parameter string, both of which are null-terminated. All characters after the maximum buffer length (0xFF) will not remain as part of the control word or parameter string. Instead, the control word or parameter will be terminated.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab6.png)\n\nIn the first obfuscated example, the length of the over-sized control word is 0xFE. By adding a null-terminator, the control word string will reach the maximum length of 0xFF, then the remaining data belongs to objdata.\n\nFor the second obfuscated example, the total length of the \u201cbin\u201d control word and its parameter is 0xFD. By adding their null-terminator, the length equals 0xFF.\n\nf. Additional techniques\n\nThe program uses the last \\objdata control word in a list, as shown here:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 554564{\\\\*\\objdata 4444}54545} OR\n\n{\\object\\objocx\\objdata 554445\\objdata 444454545}\n\n{\\object\\objocx{{\\objdata 554445}{\\objdata 444454545}}} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444454545} \n \nAs we can see here, except for \\binN, other control words are ignored:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\par2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444{\\datastore2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\datastore2211 55556666} OR\n\n{\\object\\objocx\\objdata 44444444{\\unknown2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\unknown2211 55556666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \nThere is another special case that makes the situation a bit more complicated. That is control symbol \\\\*. From RTF specification, we can get the description for [this control symbol:](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>)\n\n_Destinations added after the 1987 RTF Specification may be preceded by the control symbol **\\\\*** (backslash asterisk). This control symbol identifies destinations whose related text should be ignored if the RTF reader does not recognize the destination control word._\n\nLet\u2019s take a look at how it can be used in obfuscations:\n\n1\\. \n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\par314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \n\\par is a known control word that does not accept any data. RTF parser will skip the control word and only the data that follows remains.\n\n2.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\datastore314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nRTF parser can also recognize \\datastore and understand that it can accept data, therefore the following data will be consumed by \\datastore.\n\n3.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\unknown314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nFor an analyst, it\u2019s difficult to manually extract embedded objects from an obfuscated RTF, and no public tool can handle obfuscated RTF. However, winword.exe uses the OleConvertOLESTREAMToIStorage function to convert OLE1 native data to OLE2 structured storage object. Here\u2019s the prototype of OleConvertOLESTREAMToIStorage:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab9.png)\n\nThe object pointed by lpolestream contains a pointer to OLE1 native binary data. We can set a breakpoint at OleConvertOLESTREAMToIStorage and dump out the object data which has been de-obfuscated by the RTF Parser:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab10.png)\n\nThe last command .writemem writes a section of memory to d:\\evil_objdata.bin. You can specify other paths as you want; 0e170020 is the start address of the memory range, and 831b6 is the size.\n\nMost of the obfuscation techniques of \\objdata can also apply to embedded images, but for images, it seems there is no obvious technique as OleConvertOLESTREAMToIStorage. To extract an obfuscated picture, locate the RTF parsing code quickly using data breakpoint and that will reveal the best point to dump the whole data.\n\n#### **Conclusion**\n\nOur adversaries are sophisticated and familiar with the RTF format and the inner workings of Microsoft Word. They have managed to devise these obfuscation tricks to evade traditional signature-based detection. Understanding how our adversary is performing obfuscation can in turn help us improve our detection of such malware.\n\n#### **Acknowledgements**\n\nThanks to Yinhong Chang, Jonell Baltazar and Daniel Regalado for their contributions to this blog.\n", "published": "2016-05-20T14:59:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html", "cvelist": ["CVE-2012-0158", "CVE-2010-3333", "CVE-2014-1761", "CVE-2015-1641"], "lastseen": "2017-03-07T16:24:18"}], "openvas": [{"id": "OPENVAS:902829", "type": "openvas", "title": "Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-027.", "published": "2012-04-11T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=902829", "cvelist": ["CVE-2012-0158"], "lastseen": "2017-07-02T21:10:34"}], "canvas": [{"id": "MS12_027", "type": "canvas", "title": "Immunity Canvas: MS12_027", "description": "**Name**| ms12_027 \n---|--- \n**CVE**| CVE-2012-0158 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| MS12-027 MSCOMCTL.OCX ActiveX Buffer Overflow \n**Notes**| CVE Name: CVE-2012-0158 \nVENDOR: Microsoft \nNotes: \n \nYou shoud manually start a Universal listener for this exploit. \nThe listener IP and PORT should be declared in the module configuration \ndialog. \n \nTested on: \n* Windows XP Professional SP3 English with Office 2010 Standard \n* Windows 7 English. \n \nThe Universal Windows version needs the target to have Word opened \nfor a few seconds before executing the file. \n \nUsage: \nGenerate rtf file and send to target. \n \n \nVersionsAffected: Office 2003 to Office 2010 SP1 \nRepeatability: \nMSADV: MS12-027 \nReferences: http://technet.microsoft.com/en-us/security/bulletin/ms12-027 \nCVE Url: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 \nDate public: 04/10/2012 \nCVSS: 9.3 \n\n", "published": "2012-04-10T17:55:01", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms12_027", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-09-25T14:13:06"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS12_027_MSCOMCTL_BOF", "type": "metasploit", "title": "MS12-027 MSCOMCTL ActiveX Buffer Overflow", "description": "This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses \"msgr3en.dll\", which will load after office got load, so the malicious file must be loaded through \"File / Open\" to achieve exploitation.", "published": "2012-04-23T20:59:25", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2012-0158"], "lastseen": "2017-08-21T15:30:30"}], "zdt": [{"id": "1337DAY-ID-22772", "type": "zdt", "title": "Microsoft Office Word 2003+2007+2010 Universal 0day Exploit", "description": "This module targets Office 2003 [no-SP/SP1/SP2/SP3] + 2007 [no-SP/SP/SP2/SP3] + Office 2010 [no-SP/SP1] versions.\r This module exploits a stack buffer overflow in SCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. Exploitation on this one is easy. We created a VM with Windows 7 fully patched and then installed Microsoft Office 2007 (no SP). \r We rebooted the VM. We loaded up the MS Office Word 2003+2007+2010 mscomctl Universal Exploit (CVE-2012-0158) exploit in metasploit and setup a meterpreter reverse tcp payload. We created the malicious msf.doc file by exploiting the module and then setup a multi-handler with a reverse tcp payload. We copied the malicious msf.doc file to the target machine using a SMB transfer. The stage was sent when we opened the msf.doc file and a meterpreter session was opened with our user account. We installed the SP 3 patch for Office and rebooted the machine. We tested the exploit again and received a meterpreter shell. We rolled back the VM to a clean Windows install and then installed Office Professional 2010 with SP1. We repeated the above exploitation steps and were given another meterpreter session.\n\nThis is private exploit. You can buy it at http://0day.today", "published": "2014-10-18T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://0day.today/exploit/description/22772", "cvelist": ["CVE-2012-0158"], "lastseen": "2016-04-18T23:53:41"}], "nessus": [{"id": "SMB_NT_MS12-027.NASL", "type": "nessus", "title": "MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)", "description": "A memory corruption issue exists in Windows common controls, specifically within the MSCOMCTL.TreeView, MSCOMCTL.ListView2, MSCOMCTL.TreeView2, and MSCOMCTL.ListView controls component of MSCOMCTL.OCX, due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this issue by convincing a user to view a specially crafted web page, resulting in the execution of arbitrary code.", "published": "2012-04-11T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=58659", "cvelist": ["CVE-2012-0158"], "lastseen": "2017-07-26T23:49:19"}], "myhack58": [{"id": "MYHACK58:62201681759", "type": "myhack58", "title": "Hand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09-bug warning-the black bar safety net", "description": "This is a period of vulnerability to share with you is CVE-2015-1641 learning summary, this vulnerability due to its good versatility and stability claims to have replaced the CVE-2012-0158 trend. The vulnerability is a type confusion class of vulnerability, through which you can achieve arbitrary address of the memory write data, and then according to vulnerability characteristics, combined with some of the typical use of the technique can achieve arbitrary code execution. \nThe vulnerability principle\nThis vulnerability of the common sample is the rtf Document Format File, this point and below, the exploit about, the main reason is the rtf to facilitate construction using components, of course this is not absolute\u3002 However, the vulnerability principle in fact, and rtf Document Format independent, but with the office open xml document format is implementation dependent. This document format of the common word document, expand the name is docx is actually a use the open xml organizations document internal resources after the zip compression package. In fact, the vulnerability of the rtf sample, generally contains 3 docx format file component, wherein the 2 files used to trigger the vulnerability component, the other as an exp component, still is not an absolute one. \n! [](/Article/UploadPic/2016-12/2016123171529970. png? www. myhack58. com! web) \nThe above 3 zip bag is from the rtf file sample in the extracted, as to how to extract here a simple way, the word document there is an Insert object function, you can insert another word document files, this sample is inserted into the 3 docx documents into it and then the main document is saved as rtf Document Format, then this 3 Insert the docx file object in the main file is a section of a 16-ary data, the corresponding 3 files in the 16-ary coding, so you can by a regular expression using Notepad++like editor from the main file in the extracted 16-ary coding:\u201c\\\\\\objdata [0-9a-f\\r\\n]+\u201d, and then by means of some hex editor such as 010edit Save As 3 docx/zip files. After that you can begin to analyze the vulnerability principle, the first second of the target file remove the zip suffix using the office Open, then the word program will directly crash, and in the debugger you can see the crash point is an assignment statement and ecx for a stable memory address value, \u5176\u6307\u5411\u7684\u8303\u56f4\u662f\u6f0f\u6d1e\u5229\u7528\u4f7f\u7528\u5230\u7684\u4e00\u4e2a\u4e3a\u4e86\u7ed5\u8fc7aslr\u7684\u6a21\u5757msvcr71.dll to: \n! [](/Article/UploadPic/2016-12/2016123171529671. png? www. myhack58. com! web) \nThen from the file point of view, plus the zip suffix decompression is as follows: \n! [](/Article/UploadPic/2016-12/2016123171529361. png? www. myhack58. com! web) \nWherein, the word directory is under the document. the xml for the organization of the documentation resource of primary documents, generally the document's text content is also on the inside, and from this file we can find to trigger this vulnerability the main content: \n! [](/Article/UploadPic/2016-12/2016123171530503. png? www. myhack58. com! web) \nAs can be seen in the debugger that appears in the crash point of the ecx value is directly unicode encoding in the smartTag tag element attribute value inside, and the condition is satisfied in the case msvcr71 module has been previously loaded, The follow-up will be a memory copy, and the copy of the destination address according to ecx calculated a value, and copy the data to 0xffffe696 that sub-label moveFromRange*the ID value 4294960790: the \n! [](/Article/UploadPic/2016-12/2016123171530111. png? www. myhack58. com! web) \nThus, by the file as the configuration of the content, the main control two variable values can be simple to achieve arbitrary memory address of the write data function. Of course, we are also more concerned about a focus on this construct the content of the principles is what? You can see this piece of content is a set of open xml closing tags, the outermost layer is the smartTag label, the innermost layer is moveFromRange*label. Respectively, refer to the msdn documentation of the relevant information, to be aware of these tags in detail, where attention to moveFromRange*label displaceByCustomXml Property description: \n! [](/Article/UploadPic/2016-12/2016123171530291. png? www. myhack58. com! web) \nFrom the above figure it can be seen, the attribute specified is replaced by a custom xml tag elements, in other words understand that is moveFromRange*the label of this attribute specifies the parent tag of a customXml object to be replaced. However, from the sample content we did not see the customXml tags, carefully observed a moment customXml tag, and smartTag label instructions after the discovery, the two Label elements not only function with a certain similarity, the internal property of the structure is also more interesting to keep consistent: \n! [](/Article/UploadPic/2016-12/2016123171530419. png? www. myhack58. com! web) \nCan imagine this on the same template out of the twins tag, is He the founder of Microsoft assigned to different jobs, that sometimes Microsoft's own didn't even recognize who is who. In fact, the type confusion vulnerability it is thus, seen above in the debugger the crash position, that is, the word program parses to moveFromRange*label, prepare the internal id of the transfer to which the parent element smartTag\uff08/customXml object\u201cspace\u201dinside it. By back tracking this process and contrast, if it is a normal case of the higher tag for the customXml, the transfer will be carried out once the memory allocation and then copy it to new memory space; and if it is a confusing case, since both objects the essence of the difference, this time directly to the id value of the transfer to the smartTag object has some internal space, the following two cases of code of the tracking sequence contrast figure: \n! [](/Article/UploadPic/2016-12/2016123171530657. png? www. myhack58. com! web) \nSince the two tags inside the attributes of the members have a certain similarity can lead to type confusion, the syntax through an internal check, but the actual parsing process, the object's internal lack of strict check, cause confusion to the smartTag object, parse moveFromRange*when the tag is considered to replace the need of memory space already exists, on the direct use of the wrong location for the copy process, resulting in this can be utilized the security vulnerability. \nConfigured to trigger the vulnerability POC \nAccording to the above principle, the vulnerability occurs in the scene is the word program in the analysis inside custom xml customXml tags there is a replacement marker case, the original moveFromRange*tag is to the tag id is transmitted to the superior customXml object, however, due to the customXml and its brother label smartTag there is a certain similarity, resulting in the customXml tag is replaced with the smartTag occurs when the type of Confusion caused by memory copy vulnerabilities. The following describes how to construct the trigger this vulnerability POC samples, we first make one thing clear, in order to achieve arbitrary memory address, we need to control the two variables are confused after the smartTag tag of element attribute values and moveFromRange*tag id value, they were controlled to overwrite the memory address and memory data, the reverse track at the above-mentioned point of collapse function: \n\n\n**[1] [[2]](<81759_2.htm>) [[3]](<81759_3.htm>) [next](<81759_2.htm>)**\n", "published": "2016-12-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.myhack58.com/Article/html/3/62/2016/81759.htm", "cvelist": ["CVE-2012-0158", "CVE-2015-1641"], "lastseen": "2016-12-03T17:44:02"}], "talosblog": [{"id": "TALOSBLOG:EE177479683FB1333547D9FA076F4D46", "type": "talosblog", "title": "When combining exploits for added effect goes wrong", "description": "<h3 id=\"h.o562lfhybzl7\">Introduction</h3><br />Since public disclosure in April 2017, <a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0199\">CVE-2017-0199</a> has been frequently used within malicious Office documents. The vulnerability allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTA applications are opened and parsed by Microsoft Word.<br /><br />In this recent campaign, attackers combined CVE-2017-0199 exploitation with an earlier exploit, <a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158\">CVE-2012-0158</a>, possibly in an attempt to evade user prompts by Word, or to arrive at code execution via a different mechanism. Potentially, this was just a test run in order to test a new concept. In any case, the attackers made mistakes which caused the attack to be a lot less effective than it could have been.<br /><br />Analysis of the payload highlights the potential for the Ole2Link exploit to launch other document types, and also demonstrates a lack of rigorous testing procedures by at least one threat actor.<br /><br /> Attackers are obviously trying to find a way around known warning mechanisms alerting users about potential security issues with opened documents. In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain and fails.<br /> <br /> Although this attack was unsuccessful it has shown a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. It may have been an experiment that didn\u2019t quite work out, or it may be indication of future attacks yet to materialise.<br /> <a name='more'></a><br /><br /><h3 id=\"h.8er5iyy5kysj\">Standard CVE-2017-0199 exploitation</h3><div><br /></div>A typical attack exploiting CVE-2017-0199 consists of an email campaign, distributing a malicious RTF document.The vulnerability exists in code that handles Ole2Link embedded objects. Including an Ole2Link in an RTF document allows Word to load other, remote documents within the context of Word.<br /><br /><a href=\"https://1.bp.blogspot.com/-NSSI8BOL22s/WZGK-IAegfI/AAAAAAAAAEs/xw2tx8KHcYslKPmxKeenFiTpokqXf82GwCLcBGAs/s1600/image3.png\" imageanchor=\"1\"><img border=\"0\" data-original-height=\"405\" data-original-width=\"720\" height=\"360\" src=\"https://1.bp.blogspot.com/-NSSI8BOL22s/WZGK-IAegfI/AAAAAAAAAEs/xw2tx8KHcYslKPmxKeenFiTpokqXf82GwCLcBGAs/s640/image3.png\" width=\"640\" /></a> <br /><div style=\"text-align: center;\">Standard CVE-2017-0199 flow</div><br />If the remote OLE2Link points to an HTML application file (HTA file type), vulnerable Word and WordPad versions will parse and execute the application even if the user chooses not to allow inclusion of the remote content. A possible sign of exploitation attempt of CVE-2017-0199 is this Word prompt to the user:<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-0VKBqAUUxXM/WZGL-PIwozI/AAAAAAAAAE4/VF47zZTXA1YZRAVvsArdqLXcIPFgd9l_gCLcBGAs/s1600/image13.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"309\" data-original-width=\"1438\" height=\"138\" src=\"https://2.bp.blogspot.com/-0VKBqAUUxXM/WZGL-PIwozI/AAAAAAAAAE4/VF47zZTXA1YZRAVvsArdqLXcIPFgd9l_gCLcBGAs/s640/image13.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Word prompt displayed to the user before potential CVE-2017-0199 exploit attempt</div><div style=\"text-align: center;\"><br /></div><h3 id=\"h.roxzrd10uaho\">Modified CVE-2017-0199 flow</h3><br />In the case of the modified exploit flow we analyzed, the attack started with an email message containing a malicious attachment. The email employed the usual social engineering tricks to entice the user to open and read the attached document. Referring to the attachment as a purchase order coming from an unknown \"partner\" is a very common social engineering trick of spammed malware. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-Hw3wXiGOBh8/WZGMKf_qe7I/AAAAAAAAAE8/SyyOcUTNsyETwGzn-JB5K07vMiWb_g8NwCLcBGAs/s1600/image6.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"461\" data-original-width=\"1049\" height=\"280\" src=\"https://3.bp.blogspot.com/-Hw3wXiGOBh8/WZGMKf_qe7I/AAAAAAAAAE8/SyyOcUTNsyETwGzn-JB5K07vMiWb_g8NwCLcBGAs/s640/image6.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Email message launching the modified attack</div><div style=\"text-align: center;\"><br /></div>The document attached to the email message is an RTF file including an Ole2Link to a remote document hosted at hxxp://multplelabs [dot] com/ema/order.doc. In this case, the mime content type of the remote document observed in the packet capture of the attack was not the expected application/hta but rather application/msword which was enough to motivate us to dig a little bit deeper in order to find out what the attackers are trying to achieve. <br /><br />The first surprising thing is that the vulnerable version of Word I used for the analysis crashed before it managed to display the prompt commonly seen with CVE-2017-0199 exploitation. Instead of displaying the prompt, Word started to convert the downloaded document and then hung before eventually crashing with a memory access fault. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-HbxzsVEz4ao/WZGMUkypjfI/AAAAAAAAAFA/rDvvv35sIBQ36bARwkAXWqgXohpFwTtfgCLcBGAs/s1600/image4.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"500\" data-original-width=\"1600\" height=\"200\" src=\"https://4.bp.blogspot.com/-HbxzsVEz4ao/WZGMUkypjfI/AAAAAAAAAFA/rDvvv35sIBQ36bARwkAXWqgXohpFwTtfgCLcBGAs/s640/image4.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Word crashes without the prompt</div><br />The crash was caused not by the first exploit stage using CVE-2017-0199 but rather by the second stage using CVE-2012-0158. Here we see the shellcode embedded into a MSComctlLib.ListViewCtrl.2 ActiveX control, which is a telltale sign of CVE-2012-0158. The shellcode starts with a ROP chain followed by the shellcode which starts executing when the vulnerability is triggered. After the ROP chain sets the right permissions for the memory block containing the rest of the shellcode, the first stage of the shellcode is executed. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-pN1c55UKgmM/WZGMmdWIsPI/AAAAAAAAAFE/1-35-nnX3-QAgbUs5LrtWIQ0A8egO_UxwCLcBGAs/s1600/image5.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"330\" data-original-width=\"1600\" height=\"132\" src=\"https://2.bp.blogspot.com/-pN1c55UKgmM/WZGMmdWIsPI/AAAAAAAAAFE/1-35-nnX3-QAgbUs5LrtWIQ0A8egO_UxwCLcBGAs/s640/image5.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">First stage shellcode for CVE-2012-0158</div><br />This stage is responsible for the application crash. The attackers did not seem to have a good quality assurance process or perhaps the technical expertise to understand what will happen if they simply included an automatically generated CVE-2012-0158 exploit in combination with CVE-2017-0199. <br /><br />The shellcode starts with resolving several API addresses, which allow the code to traverse all open files by bruteforcing the handle numbers for open files, starting from zero and increasing the handle number by four for every next open file handle. If the handle exists, the shellcode attempts to check the file size using the GetFileSize API that takes the file handle as the parameter. If the file size is within the expected range the shellcode maps it in memory to perform a file type check. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-Bbadhc3Wgdk/WZGNHxIv82I/AAAAAAAAAFM/JKczbwTVdYIBdFKz5dqgzdmQSHJeWOKswCLcBGAs/s1600/image10.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"875\" data-original-width=\"1537\" height=\"364\" src=\"https://4.bp.blogspot.com/-Bbadhc3Wgdk/WZGNHxIv82I/AAAAAAAAAFM/JKczbwTVdYIBdFKz5dqgzdmQSHJeWOKswCLcBGAs/s640/image10.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Checking the file size and finding file type</div><div style=\"text-align: center;\"><br /></div>The shellcode here incorrectly assumes that if the found file is an RTF file then all the required conditions are met and the identified RTF file must contain the next shellcode stage. Once the shellcode assumes the file size and type requirements are satisfied, it starts to read the mapped file looking for the next stage shellcode marker which is, in our test, never found because the original CVE-2017-0199 exploiting file is still present in memory. This file satisfies both of the conditions searched for by the first stage shellcode. Since the CVE-2017-0199 exploiting file is open before the CVE-2012-0158 document, its handle is smaller and it is read first by the shellcode. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-g8G1hw8kKnE/WZGNXJFLWDI/AAAAAAAAAFQ/1x9IYMV2TaokHwZXIigam-pqlP8CFPSHwCLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"681\" data-original-width=\"1567\" height=\"278\" src=\"https://2.bp.blogspot.com/-g8G1hw8kKnE/WZGNXJFLWDI/AAAAAAAAAFQ/1x9IYMV2TaokHwZXIigam-pqlP8CFPSHwCLcBGAs/s640/image1.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">First stage shellcode looking for the next shellcode stage marker</div><div style=\"text-align: center;\"><br /></div>The shellcode searches for the next stage marker 0xfefefefefeffffffff within the wrong document, without correctly handling reads beyond the document length. This eventually causes a memory protection error by reading memory content past the allocated memory blocks. <br /><br />If the attackers would have been just a little bit more technically savvy they would realize this problem and easily fix it to make these two exploits work together successfully without the prompt to load the remote content being displayed to the end-user. <br /><br />One possible fix involves fixing a single byte to make the file size limits a bit stricter to exclude the original CVE-2017-0199 file size. The other way, just slightly more complex, is to correctly handle cases when the next stage marker is not found within the RTF and assume that the targeted Word process already has other RTF documents opened which satisfy the file size condition.<br /><br />Interestingly enough, the shellcode in the document containing the CVE-2012-0158 exploit will be successfully executed if there are no other open RTF files so we analyzed the remainder for the sake of completeness. <br /><br /><h3 id=\"h.1g5ixz26t8g5\">Second stage shellcode</h3><br />The second stage shellcode is a bit more complex and starts by finding required API functions within ntdll.dll. The API functions are used to launch an instance of svchost.exe in a suspended state, and to overwrite the original entrypoint with the final \"download and execute\" shellcode stage which eventually launches the executable payload.<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-AnfQd5_svWA/WZGNmak1XLI/AAAAAAAAAFU/6wbz-jBtjZ8ohLdOXbTngOBejGtbex34QCLcBGAs/s1600/image9.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"933\" data-original-width=\"1600\" height=\"372\" src=\"https://3.bp.blogspot.com/-AnfQd5_svWA/WZGNmak1XLI/AAAAAAAAAFU/6wbz-jBtjZ8ohLdOXbTngOBejGtbex34QCLcBGAs/s640/image9.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Finding ntdll.dll APIs to inject the last stage and resume svchost.exe process</div><div style=\"text-align: center;\"><br /></div>The last shellcode stage, injected into svchost.exe uses UrlDownloadToFile API to download an executable file from the command and control server into the temporary files folder with the filename name.exe, and calls the ShellExecute function to launch the final payload. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-rmR62a5hMwE/WZGN6M2825I/AAAAAAAAAFY/m32luET2apAMuJn9JlJ6ok6NGzdtbG5kACLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"575\" data-original-width=\"1350\" height=\"272\" src=\"https://4.bp.blogspot.com/-rmR62a5hMwE/WZGN6M2825I/AAAAAAAAAFY/m32luET2apAMuJn9JlJ6ok6NGzdtbG5kACLcBGAs/s640/image2.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Download and execute stage</div><br />The downloaded executable payload is a packed VB dropper which drops an older Ramnit version, but it also runs Lokibot, based on the observed traffic to the command and control server. Ramnit is a well known self-replicating information stealing bot which also includes a rootkit to hide its presence from the user and security products and is already well documented. Further analysis of this particular piece of malware is outside of the scope of this blog post. Despite being older, the Ramnit family is still a commonly encountered malware family by Talos. It is possible that in this case the attackers intended to launch a Lokibot attack but the sample got infected by the Ramnit file infection component along the way. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://1.bp.blogspot.com/-2Zf6yEqOG-c/WZGOMdZbE4I/AAAAAAAAAFc/ilM-fBaodD4DUP7Qg4aR-Une0myDbPfpwCLcBGAs/s1600/image7.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"392\" data-original-width=\"1054\" height=\"238\" src=\"https://1.bp.blogspot.com/-2Zf6yEqOG-c/WZGOMdZbE4I/AAAAAAAAAFc/ilM-fBaodD4DUP7Qg4aR-Une0myDbPfpwCLcBGAs/s640/image7.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">DNS activity for multplelabs.com</div><br />The domain hosting the malware and the command and control server was registered in October 2016 and it is likely a compromised site, although it seems to have been used by some other Lokibot campaigns. The DNS activity for the domain shows two distinct spikes, which likely indicate two unsuccessful spam campaigns as there has been no additional activity to show increase in communication from infected systems to the command and control server. <br /><br />The DNS activity confirms our findings which document the reasons for the attack failure.<br /><h3 id=\"h.via3e3ir4d9t\">Conclusion</h3><br />CVE-2017-0199 is one of the most commonly used vulnerabilities exploited by malicious documents distributed in spamming campaigns. <a href=\"https://www.virusbulletin.com/blog/2017/06/cve-2017-0199-new-cve-2012-0158/\">Previous work</a> indicates that its popularity with attackers overcame the popularity of CVE-2012-0158. <br /><br />In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain. In the case of this campaign the attackers made a major mistake that prevented the intended download and execution of the Ramnit payload. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-MfUPazA21cA/WZGOZLENF5I/AAAAAAAAAFg/40RcSVXGHtI-2ZXY5APAF5xYKnAQ_CT6gCLcBGAs/s1600/image11.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"405\" data-original-width=\"720\" height=\"360\" src=\"https://3.bp.blogspot.com/-MfUPazA21cA/WZGOZLENF5I/AAAAAAAAAFg/40RcSVXGHtI-2ZXY5APAF5xYKnAQ_CT6gCLcBGAs/s640/image11.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Attempted combined attack stages</div><br />One has to wonder why did the attackers use the combination of a newer and an older exploit at all? The combination would not be executed if the targeted system had a patch against either of the exploits. In addition, if the targeted system was vulnerable to CVE-2012-0158 it would be much easier for the attackers to use a single exploit targeting this vulnerability.<br /><br />An assumption we can make is that that the attackers used the combination to avoid Word displaying the prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination in order to avoid behavioral detection systems which may be triggering on the combination of Ole2Link in a word document and a download of an HTA file. <br /><br />This attack was unsuccessful, potentially indicating poor testing or quality control procedures by the attackers. However, this does show a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. This attack may have been an experiment that didn't quite work out, or it may be indication of future attacks yet to materialise.<br /><br /><h3 id=\"h.8lbs60io8ukk\">Coverage</h3><br /><a href=\"https://4.bp.blogspot.com/-zNZW_D3mzfQ/WZGPG8nwAfI/AAAAAAAAAFo/LxZYPEg5C_oqhE-nw0dPwwHFumoST5yTwCLcBGAs/s1600/image8.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"336\" data-original-width=\"400\" height=\"268\" src=\"https://4.bp.blogspot.com/-zNZW_D3mzfQ/WZGPG8nwAfI/AAAAAAAAAFo/LxZYPEg5C_oqhE-nw0dPwwHFumoST5yTwCLcBGAs/s320/image8.png\" width=\"320\" /></a>Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br />CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br />Email Security can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect malicious activity associated with this threat.<br /><br />AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.<br /><br />Umbrella prevents DNS resolution of the domains associated with malicious activity.<br /><br />Stealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.<br /><h3 id=\"h.3lh94s3hk6jp\">IOCs</h3><br />Documents<br /><br />5ae2f13707ee38e4675ad1bc016b19875ee32312227103d6f202874d8543fc2e - CVE-2017-0199<br />6a84e5fd6c9b2c1685efc7ac8d763048913bad2e767b4958e7b40b4488bacf80 - CVE-2012-0158<br /><br />Executables<br /><br />351aec22d926b4fb7efc7bafae9d1603962cadf0aed1e35b1ab4aad237723474<br />f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6<br />43624bf57a9c7ec345d786355bb56ca9f76c226380302855c61277bdc490fdfe<br />d4fbca06989a074133a459c284d79e979293625262a59fbd8b91825dbfbe2a13<br /><br />URLs<br /><br />hxxp://multplelabs[dot]com/ema/order.doc - CVE-2012-0158<br />hxxp://multplelabs[dot]com/ema/nextyl.exe - dropper<br />hxxp://multplelabs[dot]com/freem/50/fre.php - Lokibot C2<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=tm25zXE3Ntc:BBFLRcVK7jQ:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/tm25zXE3Ntc\" height=\"1\" width=\"1\" alt=\"\"/>", "published": "2017-08-14T09:55:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/tm25zXE3Ntc/when-combining-exploits-for-added.html", "cvelist": ["CVE-2012-0158", "CVE-2017-0199"], "lastseen": "2017-08-14T18:08:43"}]}}